Elementor WordPress Plugin Hit By 6 Vulnerabilities

Elementor Website Builder is a leading website builder platform with over 5 million active installations worldwide. It is known for its drag and drop interface that enables users to create professional websites easily. The platform also offers a Pro version which includes additional widgets and advanced ecommerce capabilities.

The six XSS (Cross-Site Scripting) vulnerabilities found in Elementor Website Builder and its Pro version are:

1. CVE-2024-2117: Authenticated DOM-Based Stored XSS via Path Widget
2. CVE-2024-2120: Authenticated Stored XSS via Post Navigation
3. CVE-2024-1521: Authenticated Stored XSS via Form Widget SVGZ File Upload (affects NGINX servers)
4. CVE-2024-2121: Authenticated Stored XSS via Media Carousel widget
5. CVE-2024-1364: Authenticated Stored XSS via widget’s custom_id
6. CVE-2024-2781: Authenticated DOM-Based Stored XSS via video_html_tag

All vulnerabilities are rated as medium level security threats and require contributor-level permission to execute.

Users of both the free and Pro versions of Elementor Website Builder are advised to update their plugin to the latest version to address the XSS vulnerabilities. This is crucial even though exploiting the vulnerabilities requires an attacker to have contributor-level permission credentials, as there is still a risk, particularly if contributors use weak passwords.