Over 3.5 Million Websites Vulnerable to Multiple ‘Elementor’ Flaws

• A large number of sites using various ‘Elementor’ plugins are vulnerable to XSS flaws.
• The attacks aren’t large-scale but can cause great damage to specific targets nonetheless.
• Updating your ‘Elementor’ plugins to the latest available version addresses the associated risks.

A team of researchers at Wordfence warns about a set of 17 ‘Elementor’ plugins vulnerable to recently-disclosed vulnerabilities affecting over 3.5 million websites. The flaws allow any user to access components that should be out of their reach - like the Elementor editor - and add JavaScript snippets into the posts.

Whenever that post is viewed, edited, or previewed by another user of the website, the snippet runs. If the code is crafted maliciously, the possibilities could go as high as gaining admin access on the site.

The following plugins are vulnerable to these cross-site scripting flaws:

• Essential Addons for Elementor – prior to v4.5.4, 1 million installations
• Elementor – Header, Footer & Blocks Template – prior to v1.5.8, 1 million installations
• Ultimate Addons for Elementor – prior to v1.30.0, 600k installations
• Premium Addons for Elementor – prior to v4.2.8, 400k installations
• ElementsKit– prior to v2.2.0 300k installations
• Elementor Addon Elements – prior to v1.11.2, 100k installations
• Livemesh Addons for Elementor– prior to v6.8, 100k installations
• HT Mega – Absolute Addons for Elementor Page Builder – prior to v1.5.7, 70k installations
• WooLentor – WooCommerce Elementor Addons + Builder – prior to v1.8.6, 50k installations
• PowerPack Addons for Elementor – prior to v2.3.2, 50k installations
• Image Hover Effects – Elementor Addon– prior to v1.3.4, 40k installations
• Rife Elementor Extensions & Templates– prior to v1.1.6, 30k installations
• The Plus Addons for Elementor Page Builder Lite – prior to v2.0.6, 30k installations
• All-in-One Addons for Elementor – WidgetKit – prior to v2.3.10, 20k installations
• JetWidgets For Elementor – prior to v1.0.9, 10k installations
• Sina Extension for Elementor – prior to v3.3.12, 10k installations
• DethemeKit For Elementor – prior to v1.5.5.5, 8k installations

If you manage a website using any of the above plugins, make sure to update to the latest available version to avoid any nasty XSS surprises to you or your contributors. Remember, the attacks rely on privilege escalation, so seeing your website taken over and wiped just because you were running a vulnerable Elementor plugin is possible.

If you are a developer who publishes plugins to help extend the functionality of Elementor, you should also review your code and scrutinize the base that you’ve used for relevant flaws. While these vulnerabilities aren’t being exploited en masse, they are excellent tools for highly targeted actors.