Multiple Authenticated Stored Cross-Site Scripting
CVSS score of the vulnerability is 6.4. According to WordFence’s announcement, Elementor acknowledged the vulnerabilities shortly after the team contacted them and patched the vulnerability on March 2nd. Patch 3.1.2 addresses the vulnerabilities, however, Wordfence recommends users to update the plugin to at least 3.1.4.
February 23, 2021 – Wordfence Threat Intelligence releases a firewall rule to Premium users and provides full disclosure to the Elementor security contact.
February 24, 2021 – Elementor acknowledges the disclosure and begins to work on a fix.
March 2, 2021 – An initial patch becomes available in version 3.1.2.
March 8, 2021 – Additional fixes are put in place in version 3.1.4.
March 25, 2021 – The firewall rule becomes available to free users.
Wordfence Threat Intelligence stated,
“In today’s article, we detailed stored Cross-Site Scripting(XSS) vulnerabilities present in Elementor, which could be exploited via the Column element as well as the Accordion, Icon Box, Image Box, Heading, and Divider components. These vulnerabilities have been patched in version 3.1.4, and we strongly recommend that all users of Elementor update to the latest version available, which is 3.1.4 at the time of publication.”
See more Cyber Security News