Connect with us

NEWS

WordPress Elementor Vulnerability Affects +7 Million

Published

on

WordPress Elementor Vulnerability Affects +7 Million

Security researchers at Wordfence discovered a vulnerability on sites built with Elementor. The exploit is a type designated as a Stored Cross-site Scripting (XSS) vulnerability.  It has the potential to enable attackers to seize control of a website.

Stored Cross Site Vulnerability

Cross Site Scripting (XSS) is a type of vulnerability where an attacker uploads a malicious script that will then be executed by anyone who visits the web page where the script is displayed to the browser.

The script can do any number of things like steal cookies, password credentials and so on.

This particular version of XSS exploit is called a Stored Cross Site Scripting vulnerability because it is stored on the website itself.

The other kind of XSS is called a Reflected Cross Site Scripting, which depends on a link being clicked (like through an email).

Stored Cross Site Scripting is has the greater potential to do harm because it can attack any visitor to a web page.

Stored XSS Elementor Exploit

The stored XSS vulnerability affecting Elementor can be used to steal administrator credentials. The attacker must however first obtain a publishing level WordPress user role, even the lowest Contributor level can initiate the attack.

Contributor level WordPress role is a low level of registered user that can read, publish, edit and delete their own articles on a website. They cannot however upload media files like images.

Advertisement

How the Elementor Vulnerability Attack Works

The vulnerability exploits a loophole that allows an attacker the ability to upload a malicious script within the editing screen.

The loophole existed in six Elementor components:

  1. Accordion
  2. Icon Box
  3. Image Box
  4. Heading
  5. Divider
  6. Column

Wordfence explained how attackers exploit these components:

“Many of these elements offer the option to set an HTML tag for the content within. For example, the “Heading” element can be set to use H1, H2, H3, etc. tags in order to apply different heading sizes via the header_size parameter.

Unfortunately, for six of these elements, the HTML tags were not validated on the server side, so it was possible for any user able to access the Elementor editor, including contributors, to use this option to add executable JavaScript to a post or page via a crafted request.”

Once the script was uploaded any visitor to the web page, even if it’s the editor previewing the page before publishing, could execute the code in the browser and have their authenticated session made available to the attacker.

Update Elementor Now

It is recommended by Wordfence that all users of Elementor update their version to at least 3.1.4 (per Wordfence) although the official Elementor Pro changeglog states that there’s a security fix.

A changelog is a software developer’s official record of changes to every version of the software.

It may be prudent to update to the very latest version available, as Elementor Pro 3.2.0 fixes a security issue:

“Sanitized options in the editor to enforce better security policies”

Citations

Official Wordfence Announcement:
Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

Advertisement

Elementor Pro Changelog

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

on

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”

Advertisement

Advertisement

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Advertisement

Advertisement

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.

Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

Advertisement

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.

Citations

Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Searchenginejournal.com

Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

en_USEnglish