Login

Tag Archives: Essential Addons for Elementor

16 Jun 2022

Essential Addons for Elementor Again Appears to Have Unintentionally Fixed an Authenticated Persistent XSS Vulnerability

We have recently been testing to see if we can improve our ability to detect vulnerabilities being introduced and fixed in WordPress plugins using machine learning. One of our interests in doing that is so that we can better deal with situation where developers don’t disclose that they are fixing or attempting to vulnerabilities in their plugins. That appears to have happened again with one of the most popular WordPress plugins, Essential Addons for Elementor, which has 1+ million active installs according to WordPress.

Like the previous instance three weeks ago, the developer fixed an authenticated persistent cross-site scripting (XSS) vulnerability without disclosing it and possibly without knowing they were fixing it. Like last time, they also didn’t fully address the underlying insecurity. This time, it involves the Event Calendar element. The changelog for the version this was fixed in contains several entries for that element: [Read more]

26 May 2022

1+ Million Install WordPress Plugin Essential Addons for Elementor Unintentionally Fixed Two Instances of Vulnerability, Another Instance Remained

We have recently been testing to see if we can improve our ability to detect vulnerabilities being introduced and fixed in WordPress plugins using machine learning. One of our interests in doing that is so that we can better deal with situation where developers don’t disclose that they are fixing or attempting to vulnerabilities in their plugins. That appears to have happened with the version of one of the most popular WordPress plugins, Essential Addons for Elementor, which has 1+ million active installs according to WordPress, that was released yesterday.

One of the machine learning models we are testing flagged the changes to the PHP code being made in that as having fixed a vulnerability. There is a changelog entry that indicates that a security change was being made to the plugin: [Read more]

1 Mar 2019

Closures of Very Popular WordPress Plugins, Week of March 1

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed that we are aware of (a change made to the WordPress website led to our monitoring to have stopped working for the past few days until we updated it) and it has been reopened. [Read more]

25 Feb 2019

Closed Popular WordPress Plugin Essential Addons for Elementor Contains an Authenticated SSRF Vulnerability

Last week two of the 1,000 most popular WordPress plugins were closed and we found that both of those contained security vulnerabilities that seemed unrelated to the closure. That doesn’t seem to paint a great picture as to the security of WordPress plugins or for the concern for security by the people running the WordPress Plugin Directory. It’s now a new week and the story continues. Earlier today another one of the 1,000 most popular plugins, Essential Addons for Elementor, which has 100,000+ installs was closed. Since then a couple of updates have been made to the plugin, which may or may not be related to the closure. We didn’t see any obvious security changes in those updates, so we went to check to see if there were any obvious security issues that remain in the latest version, since we are interested in warning our customers if they are using vulnerable plugins. A few checks in, we found multiple security issues with the plugin, for now we will detail an authenticated server-side request forgery (SSRF) vulnerability, which can also be exploited through cross-site request forgery (CSRF).

If the developer or someone else wants the plugin more fully review for security, we offer security reviews for a fee (and also allow customers of our main service to suggest/vote for plugins to get a review from us for no additional fee). [Read more]