NEWS

WordPress Elementor Vulnerability Affects +7 Million

Published

2 years ago

March 18, 2021

WordPress Elementor Vulnerability Affects +7 Million

Security researchers at Wordfence discovered a vulnerability on sites built with Elementor. The exploit is a type designated as a Stored Cross-site Scripting (XSS) vulnerability. It has the potential to enable attackers to seize control of a website.

Stored Cross Site Vulnerability

Cross Site Scripting (XSS) is a type of vulnerability where an attacker uploads a malicious script that will then be executed by anyone who visits the web page where the script is displayed to the browser.

The script can do any number of things like steal cookies, password credentials and so on.

This particular version of XSS exploit is called a Stored Cross Site Scripting vulnerability because it is stored on the website itself.

The other kind of XSS is called a Reflected Cross Site Scripting, which depends on a link being clicked (like through an email).

Stored Cross Site Scripting is has the greater potential to do harm because it can attack any visitor to a web page.

Stored XSS Elementor Exploit

The stored XSS vulnerability affecting Elementor can be used to steal administrator credentials. The attacker must however first obtain a publishing level WordPress user role, even the lowest Contributor level can initiate the attack.

Contributor level WordPress role is a low level of registered user that can read, publish, edit and delete their own articles on a website. They cannot however upload media files like images.

How the Elementor Vulnerability Attack Works

The vulnerability exploits a loophole that allows an attacker the ability to upload a malicious script within the editing screen.

The loophole existed in six Elementor components:

Accordion
Icon Box
Image Box
Heading
Divider
Column

Wordfence explained how attackers exploit these components:

“Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.
Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”

Once the script was uploaded any visitor to the web page, even if it’s the editor previewing the page before publishing, could execute the code in the browser and have their authenticated session made available to the attacker.

Update Elementor Now

It is recommended by Wordfence that all users of Elementor update their version to at least 3.1.4 (per Wordfence) although the official Elementor Pro changeglog states that there’s a security fix.

A changelog is a software developer’s official record of changes to every version of the software.

It may be prudent to update to the very latest version available, as Elementor Pro 3.2.0 fixes a security issue:

“Sanitized options in the editor to enforce better security policies”

Citations

Official Wordfence Announcement:
Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

Elementor Pro Changelog

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

9 months ago

December 28, 2021

Roger Montti

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

Our December 2021 product reviews update is now rolling out for English-language pages. It will take about three weeks to complete. We have also extended our advice for product review creators: https://t.co/N4rjJWoaqE
— Google Search Central (@googlesearchc) December 1, 2021

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.
Think of sites like “best TVs under $200″.com.
Goal is to improve the quality and usefulness of reviews we show users.”

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.
So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.
…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?
My assumption was this was global and and across all languages.
But I don’t know what we announced in the blog post specifically.
Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.
I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.
But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.
And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.
So I’m not particularly surprised that you see changes in Germany.
But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.