Exploitation Level: Easy/Requires Authentication
DREAD Score: 8.0
Vulnerability: Stored XSS
Patched Version: 2.7.6
During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular Elementor Page Builder plugin, which powers no less than 3 million+ websites according to the official active installs count.
Are You Affected?
This vulnerability is exploitable on sites which allow users to have accounts and are using Elementor versions lower than 2.7.6, released last December.
Indicators of Compromise
This vulnerability can be exploited via the WordPress AJAX endpoint /wp-admin/admin-ajax.php.
Depending on the exploit, website owners may be able to flag attacks in access logs by looking for requests from unknown IPs containing
action=elementor_js_log in the request.
Conclusion & Mitigation Steps
To protect against this vulnerability, we strongly encourage users of the Elementor Page Builder to update their site to the latest version available as soon as possible — 2.8.5 at the time of writing.
Users who are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.