The State of SEO 2025 [Report]

Discover the latest trends and disruptions in SEO using insights we gathered from over 1,000 SEO professionals. Use our 4th annual report to identify key challenges, maximize ROI with effective strategies, and gain expert advice and solutions.

WordPress Elementor Widgets Add-On Vulnerability

Facebook
LinkedIn
Twitter
Pinterest
WhatsApp
Pocket

A WordPress plugin add-on for the popular Elementor page builder recently patched a vulnerability affecting over 200,000 installations. The exploit, found in the Jeg Elementor Kit plugin, allows authenticated attackers to upload malicious scripts.

Stored Cross-Site Scripting (Stored XSS)

The patch fixed an issue that could lead to a Stored Cross-Site Scripting exploit that allows an attacker to upload malicious files to a website server where it can be activated when a user visits the web page. This is different from a Reflected XSS which requires an admin or other user to be tricked into clicking a link that initiates the exploit. Both kinds of XSS can lead to a full-site takeover.

Insufficient Sanitization And Output Escaping

Wordfence posted an advisory that noted the source of the vulnerability is in lapse in a security practice known as sanitization which is a standard requiring a plugin to filter what a user can input into the website. So if an image or text is what’s expected then all other kinds of input are required to be blocked.

Another issue that was patched involved a security practice called Output Escaping which is a process similar to filtering that applies to what the plugin itself outputs, preventing it from outputting, for example, a malicious script. What it specifically does is to convert characters that could be interpreted as code, preventing a user’s browser from interpreting the output as code and executing a malicious script.

The Wordfence advisory explains:

“The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.”

Medium Level Threat

The vulnerability received a Medium Level threat score of 6.4 on a scale of 1 – 10. Users are recommended to update to Jeg Elementor Kit version 2.6.8 (or higher if available).

Read the Wordfence advisory:

Jeg Elementor Kit <= 2.6.7 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File

Featured Image by Shutterstock/Cast Of Thousands

Facebook
Twitter
LinkedIn
Pinterest
Pocket
WhatsApp

Never miss any important news. Subscribe to our newsletter.