Multiple security flaws put 3.5 million WordPress websites at risk

News
By published

Vulnerabilities allow contributors to add JavaScript to posts

WordPress logo
(Image credit: Pixabay)

The Wordfence Threat Intelligence team has discovered vulnerabilities in more than 15 add-ons for the WordPress plugin and popular website builder Elementor.

These 15 add-ons for Elementor are collectively installed on over 3.5m WordPress sites and in total, Wordfence found over 100 vulnerable endpoints.

These stored cross-site scripting (XSS) vulnerabilities are similar in execution to the serious vulnerability in Elementor that was recently patched by the company. When exploited, they allow any user capable of accessing the website builder, including contributors, to add JavaScript to posts.

This JavaScript would then be executed when a post is viewed, edited or previewed by other users on the site and it could potentially be used to takeover a site if a victim is an administrator.

Vulnerable add-ons

As was the case with the vulnerability in the main Elementor plugin, each of these add-ons add elements that allow users to select an HTML tag from a drop-down menu to add formatting to a title or other text. However, as tag options are not enforced on the server site, an attacker could add a new title element and change an “H5” heading tag to a “script” tag. In many cases it is possible to add JavaScript directly using one of these tags but an attacker could add malicious code to a vulnerable WordPress site instead.

In a new blog post, Wordfence has listed all of the vulnerable add-ons which have now been patched. However, not all of the developers and publishers that the company reached out to responded to its initial contact requests. In these cases though, Wordfence contacted the WordPress repository directly to have the vulnerable add-ons reviewed.

Sites using Elementor with multiple users that can contribute content and are running an unpatched version of one of these add-ons should be considered at risk. For this reason, Wordfence recommends that site owners update as soon as possible. 

If your site is running an Elementor add-on that adds functionality to the website builder through new elements or widgets that is not listed in Wordfence's blog post, the company recommends that you contact the author or developer directly to verify that they have audited their add-on for these issues.

TOPICS
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
WordPress
Another top WordPress plugin found carrying critical security flaws
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
More about website building
Squarespace

Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix automation

The world's leading website builder aims to save businesses time with new tool
Asus Vivobook S laptop on yellow background with price cut text overlay

I've looked through hundreds of laptop deals in the Spring sales - this $599 Asus Vivobook has them all beat
See more latest
Most Popular
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora