Connect with us

NEWS

Vulnerabilities in 17+ Elementor Add-on Plugins for WordPress via @sejournal, @martinibuster

Published

on

Wordfence security researchers discovered that virtually every plugin tested that adds functionality to Elementor had a vulnerability. Many of the contacted plugin publishers updated their plugins but not all of them responded, including premium plugins.

The Elementor page builder plugin itself patched a similar vulnerability in February 2021.

This vulnerability affects add-on plugins for Elementor that are created by third parties.

Advertisement

Continue Reading Below

According to Wordfence:

“We found the same vulnerabilities in nearly every plugin we reviewed that adds additional elements to the Elementor page builder.”

So it seems that this vulnerability is fairly widespread within the third party plugins that are add-ons to Elementor

Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability is particularly problematic because the malicious script is uploaded to and stored on the website itself. Then when a user visits the affected web page the browser will execute the malicious script.

If the person visiting the site is signed in and has admin level access then the script could be used to provide that level of access to the hacker and lead to a total site takeover.

Advertisement

Advertisement

Continue Reading Below

This particular vulnerability allows an attacker with at least a contributor level permission to upload a script in place where an element (like a header element) is supposed to be.

The attack is similar to one that Elementor patched in February 2021.

This is how the Elementor vulnerability is described:

“…the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.

Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”

List of Top Elementor Add-on Plugins Fixed

The list below of seventeen plugins for Elementor that were affected are installed on millions of sites.

Of those plugins there are over a hundred endpoints, which means that there were multiple vulnerabilities in each of the plugins where an attacker could upload a malicious JavaScript file.

Advertisement

The following list is just a partial one.

If your third party plugin that adds functionality to Elementor is not listed then it’s imperative to check with the publisher to make sure if it has been checked to see if it too contains this vulnerability.

Advertisement

Continue Reading Below

List of Top 17 Patched Elementor Plugins

  1. Essential Addons for Elementor
  2. Elementor – Header, Footer & Blocks Template
  3. Ultimate Addons for Elementor
  4. Premium Addons for Elementor
  5. ElementsKit
  6. Elementor Addon Elements
  7. Livemesh Addons for Elementor
  8. HT Mega – Absolute Addons for Elementor Page Builder
  9. WooLentor – WooCommerce Elementor Addons + Builder
  10. PowerPack Addons for Elementor
  11. Image Hover Effects – Elementor Addon
  12. Rife Elementor Extensions & Templates
  13. The Plus Addons for Elementor Page Builder Lite
  14. All-in-One Addons for Elementor – WidgetKit
  15. JetWidgets For Elementor
  16. Sina Extension for Elementor
  17. DethemeKit For Elementor

What to Do if You Use an Elementor Plugin?

Publishers using third party plugins for Elementor should make sure that those plugins have been updated to patch this vulnerability.

While this vulnerability requires at least a contributor level access, a hacker who is specifically targeting a site can leverage various attacks or strategies to obtain those credentials, including social engineering.

Advertisement

Continue Reading Below

According to Wordfence:

Advertisement

“It may be easier for an attacker to obtain access to an account with contributor privileges than to gain administrative credentials, and a vulnerability of this type can be used to perform privilege escalation by executing JavaScript in a reviewing administrator’s browser session.”

If your third party add-on plugin to Elementor has not recently been updated to patch a vulnerability you may want to contact the publisher of that plugin to ascertain if it is safe.

Citation

Recent Patches Rock the Elementor Ecosystem

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

on

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”

Advertisement

Advertisement

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Advertisement

Advertisement

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.

Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

Advertisement

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.

Citations

Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Searchenginejournal.com

Continue Reading




DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

en_USEnglish