Attacks these days on sites is a common thing. You get up in the morning and open up your phone to get latest news and a cyber security attack news is a regular thing now. The attackers will keep exploiting the vulnerabilities and the malware researchers will keep fighting them. This loop never breaks.
We all have seen that WordPress sites are a major point of attraction for cyberattacks because it’s a popular CMS. Just when we thought that everything was under control for WordPress websites, a serious security hole has been found and fixed in a widely used plugin.
If you are using “Essential Addons for Elementor,” plugin, you need to pay close attention. Patchstack security team has recently discovered and reported a “reflected cross-site scripting” (XSS) vulnerability that could have let bad actors take control of your site.
This flaw, first uncovered by Chazz Wolcott, a security researcher at Patchstack, could have allowed attackers to inject malicious scripts into websites, leading to data theft, unauthorized actions, or session hijacking.
Discovery and Technical Details
What is a reflected cross-site scripting” (XSS) vulnerability?
We often visit websites and use their search bar to search for something specific that we are looking for on their site. We use their search bar and usually the search term appears in the URL in form of a parameterized query (example ?s=search+term). A reflected XSS vulnerability is when a website takes user input, like from a search bar or URL, and displays it on the page without properly checking it. This allows attackers to trick users into clicking a malicious link that runs harmful JavaScript in their browser.
The vulnerability was found in the plugin’s popup-selector query parameter. Due to improper input validation, attackers could create a malicious URL containing a specially formatted value for this parameter. If a logged-in user clicked on the link, the injected JavaScript would execute in their browser.
Details of the Vulnerability
Imagine someone sending you a link that, when clicked, secretly changes something on your website without you knowing. Isn’t that frightening? This type of vulnerable code could steal sensitive information, redirect users to phishing pages, or even completely take over your site.
According to Chazz Wolcott’s detailed report, “The vulnerability occurred due to insufficient validation and sanitizing of the popup-selector query argument, allowing for a malicious value to be reflected back at the user. ”
Why You Should Care?
An attacker could send a custom prepared malicious link to a website admin and if the admin clicked that link, the malicious code would run in their browser. Because the admin is logged in, the code would have the admin privileges already, anabling the attacker to make changes to the website or steal data.
With over 2 million websites using this plugin, the potential impact is huge. This attack can steal login credentials or take complete control over your site by installing backdoors or even spread malware to your visitors.
Patch and Mitigation
The developers of Essential Addons for Elementor have released an update (version 6.0.15) to fix the issue. The patch improves input validation for the popup-selector parameter, preventing attackers from injecting unauthorized scripts.
Website administrators are strongly advised to update their plugin immediately to prevent potential exploitation. The sooner you update your plugin, the safer your site is against automated scanning and exploitation by attackers.
Conclusion
This incident highlights the ongoing security risks associated with third-party WordPress plugins. Since plugins like Essential Addons for Elementor add dynamic functionality to websites, they also introduce potential vulnerabilities if not properly maintained.
Website owners using Essential Addons for Elementor should update to the latest version immediately and follow best security practices to protect their sites from similar threats.
For more security updates, stay tuned to MalVirus.
