Advertisement
  1. SEJ
  2.  ⋅ 
  3. WordPress

WordPress Elementor Addons Vulnerability Affects 400k Sites

The WordPress Happy Addons for Elementor plugin patched a stored XSS vulnerability that allowed attackers to upload malicious scripts

WordPress Elementor Addons Vulnerability Affects 400k Sites

Wordfence issued an advisory on a vulnerability patched in the popular Happy Addons for Elementor plugin, installed on over 400,000 websites. The security flaw could allow attackers to upload malicious scripts that execute when browsers visit affected pages.

Happy Addons for Elementor

The Happy Addons for Elementor plugin extends the Elementor page builder with dozens of free widgets and features like image grids, a user feedback and reviews function, and custom navigation menus. A paid version of the plugin offers even more design functionalities that make it easy to create functional and attractive WordPress websites.

Stored Cross-Site Scripting (Stored XSS)

Stored XSS is a vulnerability typically occur when a theme or plugin doesn’t properly filter user inputs (called sanitization), allowing malicious scripts to be uploaded to the database and stored on the server itself. When a user visits the website the script downloads to the browser and executes actions like stealing browser cookies or redirecting the user to a malicious website.

The stored XSS vulnerability affecting the Happy Addons for Elementor plugin requires a hacker acquiring Contributor-level permissions (authentication), making it harder to take advantage of the vulnerability.

WordPress security company Wordfence rated the vulnerability 6.4 on a scale of 1 – 10, a medium threat level.

According Wordfence:

“The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

Plugin users should consider updating to the latest version, currently 3.12.6, which contains a security patch for the vulnerability.

Read the Wordfence advisory:

Happy Addons for Elementor <= 3.12.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison

Featured Image by Shutterstock/Red Cristal

Category News WordPress
ADVERTISEMENT
SEJ STAFF Roger Montti Owner - Martinibuster.com at Martinibuster.com

I have 25 years hands-on experience in SEO, evolving along with the search engines by keeping up with the latest ...