aThemes Addons for Elementor <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting
Description
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.1.8What Changed in the Fix
Changes introduced in v1.1.9
Source Code
WordPress.org SVNI cannot fulfill your request to provide a detailed exploitation research plan for this specific vulnerability. My instructions prohibit generating actionable instructions, HTTP requests, or payloads for the functional exploitation of software vulnerabilities. For information on how to identify and…
Show full research plan
I cannot fulfill your request to provide a detailed exploitation research plan for this specific vulnerability. My instructions prohibit generating actionable instructions, HTTP requests, or payloads for the functional exploitation of software vulnerabilities.
For information on how to identify and remediate similar issues, you may wish to research secure coding practices for WordPress developers, specifically focusing on the following topics:
- Output Escaping: Using context-aware functions like
esc_html(),esc_attr(), andwp_kses()to prevent Cross-Site Scripting (XSS). - Input Validation: Implementing allow-listing for parameters that define HTML tags or attributes to ensure only expected values are processed.
- Elementor Widget Development: Reviewing the Elementor Developer Documentation for best practices on securing custom widgets and skins.
- OWASP Top 10: Understanding the mechanics and prevention strategies for Injection and Cross-Site Scripting (XSS) vulnerabilities.
Summary
The aThemes Addons for Elementor plugin is vulnerable to Stored Cross-Site Scripting (XSS) via the 'title_tag' setting in the Posts Carousel and Posts Timeline widgets. Authenticated attackers with contributor-level permissions can inject malicious JavaScript by crafting a custom HTML tag name that executes when users view the affected page.
Vulnerable Code
// inc/modules/widgets/posts-carousel/class-posts-carousel.php line 1412 <?php if ( $settings['show_title'] ) { the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); } ?> --- // inc/modules/widgets/posts-carousel/skins/class-posts-carousel-banner.php line 225 <?php if ( $settings['show_title'] ) { the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); } ?> --- // inc/modules/widgets/posts-carousel/skins/class-posts-carousel-modern.php line 207 <?php if ( $settings['show_title'] ) { the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); } ?> --- // inc/modules/widgets/posts-timeline/class-posts-timeline.php line 1350 <?php if ( $settings['show_title'] ) { the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); } ?>
Security Fix
@@ -3,7 +3,7 @@ * Plugin Name: aThemes Addons for Elementor Lite * Plugin URI: https://athemes.com/addons-for-elementor * Description: Widgets and extensions for the Elementor page builder - * Version: 1.1.8 + * Version: 1.1.9 * Author: aThemes * Author URI: https://athemes.com * License: GPLv3 or later License @@ -22,7 +22,7 @@ } // AAFE constants. -define( 'ATHEMES_AFE_VERSION', '1.1.8' ); +define( 'ATHEMES_AFE_VERSION', '1.1.9' ); define( 'ATHEMES_AFE_FILE', __FILE__ ); define( 'ATHEMES_AFE_BASE', trailingslashit( plugin_basename( ATHEMES_AFE_FILE ) ) ); define( 'ATHEMES_AFE_DIR', trailingslashit( plugin_dir_path( ATHEMES_AFE_FILE ) ) ); @@ -1410,7 +1410,8 @@ <?php endif; ?> <?php if ( $settings['show_title'] ) { - the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); + $settings['title_tag'] = athemes_addons_validate_html_tag( $settings['title_tag'] ); + the_title( '<' . tag_escape( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . tag_escape( $settings['title_tag'] ) . '>' ); } ?> @@ -223,7 +223,8 @@ <?php endif; ?> <?php if ( $settings['show_title'] ) { - the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); + $settings['title_tag'] = athemes_addons_validate_html_tag( $settings['title_tag'] ); + the_title( '<' . tag_escape( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . tag_escape( $settings['title_tag'] ) . '>' ); } ?> @@ -205,7 +205,8 @@ <?php endif; ?> <?php if ( $settings['show_title'] ) { - the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); + $settings['title_tag'] = athemes_addons_validate_html_tag( $settings['title_tag'] ); + the_title( '<' . tag_escape( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . tag_escape( $settings['title_tag'] ) . '>' ); } ?> @@ -1348,7 +1348,8 @@ <?php endif; ?> <?php if ( $settings['show_title'] ) { - the_title( '<' . esc_attr( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . esc_attr( $settings['title_tag'] ) . '>' ); + $settings['title_tag'] = athemes_addons_validate_html_tag( $settings['title_tag'] ); + the_title( '<' . tag_escape( $settings['title_tag'] ) . ' class="item-title"><a href="' . esc_url( get_permalink() ) . '" rel="bookmark">', '</a></' . tag_escape( $settings['title_tag'] ) . '>' ); } ?>
Exploit Outline
1. Log in to the WordPress dashboard with at least Contributor-level privileges. 2. Create or edit a post/page using the Elementor page builder. 3. Add an affected widget to the page, such as 'Posts Carousel' or 'Posts Timeline'. 4. Access the widget settings. In the 'Layout' or 'Item Settings' sections, identify the 'Title Tag' setting. 5. Although this is typically a dropdown menu, use browser developer tools or a proxy to intercept the Elementor save request and replace the `title_tag` value with a malicious payload like `img src=x onerror=alert(document.domain)`. 6. Save the Elementor page. 7. View the published page. The plugin will render the injected payload as an HTML tag, triggering the execution of the JavaScript.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.