To the point:
- Cross-site scripting (XSS) bugs in the Elementor WordPress plugin have been found, according to Wordfence.
- It impacts over 7 million sites.
- With plugin version 3.1.2, the developers patched the bugs.
If you’re using Elementor on WordPress, you should update your site as soon as possible. The Elementor plugin for WordPress turned out to have some major XSS vulnerabilities, allowing logged-in users to run malicious code.
Cross-site scripting (XSS) vulnerabilities in the Elementor WordPress plugin have been found by Wordfence. The plugin lacked server-side validation of HTML tags, as they described in their article. As a result, someone who was logging in to the site might manipulate the editor and run malicious code.
For example, if a person with contributor access to a site using Elementor can apply malicious code to some page, the code will be executed in the browser by the site editor or reviewer. When an administrator reviewed a post that contained malicious code, the code would be executed at the site level. This, in fact, will result in a website takeover. Column, Icon Box, Image Box Accordion, Heading, and Divider elements are some of the vulnerable elements, according to the researchers.
The vulnerabilities in the Elementor plugin were identified by Wordfence earlier this year, and the developers were notified. As a result, with plugin update 3.1.2, the developers patched the bugs. Nonetheless, with plugin update 3.1.4, they released additional patches for the vulnerabilities.