Multiple security flaws put 3.5 million WordPress websites at risk

Vulnerabilities allow contributors to add JavaScript to posts

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The Wordfence Threat Intelligence team has discovered vulnerabilities in more than 15 add-ons for theWordPress pluginand popularwebsite builderElementor.

These 15 add-ons forElementorare collectively installed on over 3.5m WordPress sites and in total, Wordfence found over 100 vulnerableendpoints.

These stored cross-site scripting (XSS) vulnerabilities are similar in execution to theserious vulnerabilityin Elementor that was recently patched by the company. When exploited, they allow any user capable of accessing the website builder, including contributors, to add JavaScript to posts.

This JavaScript would then be executed when a post is viewed, edited or previewed by other users on the site and it could potentially be used totakeover a siteif a victim is an administrator.

Vulnerable add-ons

Vulnerable add-ons

As was the case with the vulnerability in the main Elementor plugin, each of these add-ons add elements that allow users to select an HTML tag from a drop-down menu to add formatting to a title or other text. However, as tag options are not enforced on the server site, an attacker could add a new title element and change an “H5” heading tag to a “script” tag. In many cases it is possible to add JavaScript directly using one of these tags but an attacker could addmalicious codeto a vulnerable WordPress site instead.

In a newblog post, Wordfence has listed all of the vulnerable add-ons which have now been patched. However, not all of the developers and publishers that the company reached out to responded to its initial contact requests. In these cases though, Wordfence contacted the WordPress repository directly to have the vulnerable add-ons reviewed.

Sites using Elementor with multiple users that can contribute content and are running an unpatched version of one of these add-ons should be considered at risk. For this reason, Wordfence recommends that site owners update as soon as possible.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

If your site is running an Elementor add-on that adds functionality to the website builder through new elements or widgets that is not listed in Wordfence’s blog post, the company recommends that you contact the author or developer directly to verify that they have audited their add-on for these issues.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Squarespace just launched its biggest update ever. I asked what that means for your business

Shopify just made it easier to access all your financial tools in one place

ChatGPT just got easier to find when you’re searching for something