In recent reports, it has been observed that a Cross Site Scripting [XSS vulnerability] on the Elementor plugin on WordPress page builder can facilitate a full website takeover.
The websites that have been built with the Elementor plugin on WordPress have been found susceptible to the XSS vulnerability by security researchers with a rather perilous ability enabling malicious attackers to gain control of a website.
The Cross Site Scripting Vulnerability:
To the unware, a Cross-Site Scripting vulnerability is implemented when a malicious actor transmits an infected or malicious code that will be executed by victims visiting the website.
The malicious code then has the ability to perform numerous mal-activities like poaching cooking, password, and credentials, etc.
The vulnerability found in the Elementor plugin is classified as a stored cross-site scripting since the particular code for the vulnerability is stored on the victim website itself.
Security experts have noted that the stored XSS vulnerability affecting Elementor can be exploited to extort administrator credentials. The malicious actor must however first gain a publishing level WordPress user role.
Workings of the XSS vulnerability:
The vulnerability exploits a loophole that allows an attacker the ability to upload a malicious script within the editing screen.
The Elementor cross-site scripting vulnerability seemingly exploits a loophole that enables a malicious actor to upload the malicious script on the scripting screen.
The loophole apparently existed in the Accordion, IconBox, Image box, Heading, Divider, and the Column elements of the Elementor plugin.
Once the malicious script has been uploaded any visitor of the website, including the editor previewing the web-page former to publishing, can execute the code in the browser and have their authenticated session at the disposal of the malicious actor.
Users should mitigate risks:
Due to the rather severe nature of the XSS vulnerability, Elementor users have been recommended to update their version of Elementor to at least 3.1.4 even though, the official Elementor Pro changelog notes that a security patch has been deployed.