A vulnerability impacting more than 200,000 installations was recently addressed by a WordPress plugin add-on for the well-known Elementor website builder. The Jeg Elementor Kit plugin contains an exploit that lets authorized attackers upload malicious code.
Cross-Site Scripting (XSS) that is stored
A potential Stored Cross-Site Scripting exploit, which enables an attacker to transfer malicious files to a website server where they can be activated when a user views the page, was resolved by the patch. This is not the same as a Reflected XSS, which has to fool an administrator or another user into opening the attack by clicking on a bogus link. A full-site takeover can result from either type of XSS.
Poor Sanitization and Evacuating Output
In a warning, Wordfence stated that the vulnerability stems from a breach in the typical security procedure known as sanitization, which calls for a plugin to filter the content that users can enter on the website. Therefore, all other forms of input must be restricted if an image or text is expected.
A security measure known as “output escaping,” which works similarly to filtering but only applies to the output of the plugin itself and stops it from producing things like malicious scripts, was another vulnerability that was corrected. Its specialized function is to translate characters that may otherwise be perceived as code, keeping a malicious script from running in the user’s browser by preventing the output from being understood as code.
According to the Wordfence advisory,
Due to inadequate input sanitization and output escaping, the Jeg Elementor Kit plugin for WordPress is susceptible to Stored Cross-Site Scripting via SVG File uploads in all versions up to and including 2.6.7. This enables Author-level access and above authenticated attackers to insert arbitrary web scripts into sites so that they would run each time a user views the SVG file.
Medium Level Threat]
The vulnerability received a Medium Level threat score of 6.4 on a scale of 1 – 10. Users are recommended to update to Jeg Elementor Kit version 2.6.8 (or higher if available).