Security researchers at Wordfence discovered a vulnerability on sites built with Elementor. The exploit is a type designated as a Stored Cross-site Scripting (XSS) vulnerability. It has the potential to enable attackers to seize control of a website.
Stored Cross Site Vulnerability
Cross Site Scripting (XSS) is a type of vulnerability where an attacker uploads a malicious script that will then be executed by anyone who visits the web page where the script is displayed to the browser.
The script can do any number of things like steal cookies, password credentials and so on.
This particular version of XSS exploit is called a Stored Cross Site Scripting vulnerability because it is stored on the website itself.
The other kind of XSS is called a Reflected Cross Site Scripting, which depends on a link being clicked (like through an email).
Stored Cross Site Scripting is has the greater potential to do harm because it can attack any visitor to a web page.
Stored XSS Elementor Exploit
The stored XSS vulnerability affecting Elementor can be used to steal administrator credentials. The attacker must however first obtain a publishing level WordPress user role, even the lowest Contributor level can initiate the attack.
Contributor level WordPress role is a low level of registered user that can read, publish, edit and delete their own articles on a website. They cannot however upload media files like images.
How the Elementor Vulnerability Attack Works
The vulnerability exploits a loophole that allows an attacker the ability to upload a malicious script within the editing screen.
The loophole existed in six Elementor components:
- Icon Box
- Image Box
Wordfence explained how attackers exploit these components:
“Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.
Once the script was uploaded any visitor to the web page, even if it’s the editor previewing the page before publishing, could execute the code in the browser and have their authenticated session made available to the attacker.
Update Elementor Now
It is recommended by Wordfence that all users of Elementor update their version to at least 3.1.4 (per Wordfence) although the official Elementor Pro changeglog states that there’s a security fix.
A changelog is a software developer’s official record of changes to every version of the software.
It may be prudent to update to the very latest version available, as Elementor Pro 3.2.0 fixes a security issue:
“Sanitized options in the editor to enforce better security policies”
Official Wordfence Announcement:
Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites
Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster
Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.
Google December 2021 Product Reviews Update
On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.
Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021
The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.
A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:
“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”
Continue Reading Below
Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.
The first best practice was a requirement of evidence that a product was actually handled and reviewed.
The second best practice was to provide links to more than one place that a user could purchase the product.
The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.
Google’s Mueller Thinking About Product Reviews Update
Product Review Update Targets More Languages?
The person asking the question was rightly under the impression that the product review update only affected English language search results.
Continue Reading Below
But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.
This is his question:
“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”
John Mueller answered:
“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”
Does Product Reviews Update Affect More Languages?
While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.
Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.
One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.
It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.
Google Blog Post About Product Reviews Update
Google’s New Product Reviews Guidelines
John Mueller Discusses If Product Reviews Update Is Global
Watch Mueller answer the question at the 14:00 Minute Mark
Google Analytics 4 Does Not Support Google AMP
Elon Musk Announces He is Temporarily Halting Twitter Purchase
What you need to know from Google Marketing Live
Google Analytics 4 Should Trigger Reorganizations & Agency Reviews
30 Popular Job Boards That Will Help You Hire The Most Qualified Candidates
How To Use Statistics Content To Attract High Quality Backlinks
Twitter Launches New ‘Twitter Create’ Mini-Site to Highlight Monetization Opportunities for Creators
The Ultimate Guide to Paid Marketing for B2B
Take web hosting to the (NVMe) extreme
Google Ads News From Google Marketing Live
LinkedIn Adds Live Captions for Audio Events, Custom URL Listings on Creator Profiles
Daily Search Forum Recap: May 2, 2022
Six Ways to Adjust Google Ads to Save Budget
How Does Google Multisearch Affect SEO?
How to Write the Perfect Page Title With SEO in Mind
Where To Invest In SEO For Maximum Impact
Google Testing New Ad Format With Swipeable Images In A Carousel
Google Says You Can Use Hashtags In Meta Descriptions
Google Search Console URL Parameter Tool Is Now Offline
What’s A Good Cost Per Acquisition (CPA)? Ask The PPC
MARKETING6 days ago
The Ultimate Guide to On-Page SEO in 2022
MARKETING7 days ago
How to Use Pinterest Advertising to Promote Products and Attract Customers
SEARCHENGINES4 days ago
Google Displays Out Of Stock For Items Using Back Order Value In Structured Data
MARKETING2 days ago
50 Video Marketing Statistics to Inform Your 2022 Strategy [New Data]