We have recently been testing to see if we can improve our ability to detect vulnerabilities being introduced and fixed in WordPress plugins using machine learning. One of our interests in doing that is so that we can better deal with situation where developers don’t disclose that they are fixing or attempting to vulnerabilities in their plugins. That appears to have happened again with one of the most popular WordPress plugins, Essential Addons for Elementor, which has 1+ million active installs according to WordPress.

Like the previous instance three weeks ago, the developer fixed an authenticated persistent cross-site scripting (XSS) vulnerability without disclosing it and possibly without knowing they were fixing it. Like last time, they also didn’t fully address the underlying insecurity. This time, it involves the Event Calendar element. The changelog for the version this was fixed in contains several entries for that element:

• Improved: EA Event Calendar | Added option to use different colors for different events
• Improved: EA Event Calendar | Added option to hide old events
• Improved: EA Event Calendar | Added “Custom Event URL” option for individual events

No mention of a security change there, despite there being one.

In the file /includes/Elements/Event_Calendar.php, this line was changed:

1838

'url' => ($settings['eael_event_details_link_hide'] !== 'yes') ? $event["eael_event_link"]["url"] : '',

Escaping was added to the line:

1838

'url' => ($settings['eael_event_details_link_hide'] !== 'yes') ? esc_url($event["eael_event_link"]["url"]) : '',

As the proof of concept below confirms, that allowed those able to create posts to cause JavaScript code to run when clicking the link, which is an authenticated persistent cross-site scripting (XSS) vulnerability.

Two similar lines in the file still haven’t been escaped:

2096

'url' => ($settings['eael_event_details_link_hide'] !== 'yes') ? $item->htmlLink : '',

2192

'url' => ($settings['eael_event_details_link_hide'] !== 'yes') ? get_the_permalink($event->ID) : '',

Those look like they come from locations where the values are limited, but they still should be escaped for proper security. We have notified the developer of that.

Takeaways

This situation is a reminder of why it is a bad idea to selectively keep plugins up to date, as other WordPress security companies and journalist are often implying should be done by telling people to update specific plugins, instead of keeping them all up to date at all times.

It also is a reminder of the need to review security changes, as they often are incomplete. One problem with that is that competitors of ours claim to be doing that, despite it sometimes being obvious they haven’t. With our service we review all indications of security vulnerabilities being fixed in plugins used by our customers.

Proof of Concept

Create a new post and a Event Calendar element. Set the link of a event item to:

javascript:alert(document.cookie);

Make sure Hide Event Details Link is set to no.

When clicking on the link on the resulting page, any available cookies will be shown in an alert box.