Can you explain this vulnerability to me?

The vulnerability in the Medical Addon for Elementor WordPress plugin (up to version 1.6.3) is a Stored Cross-Site Scripting (XSS) issue. It occurs in the plugin's Typewriter widget due to insufficient input sanitization and output escaping of user-supplied attributes. This allows authenticated users with contributor-level access or higher to inject malicious scripts into pages, which then execute whenever any user views those pages.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow attackers with contributor-level access to inject arbitrary scripts into website pages. These scripts can execute in the browsers of users who visit the infected pages, potentially leading to theft of user credentials, session hijacking, defacement, or other malicious actions that compromise website integrity and user security.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include disabling or uninstalling the Medical Addon for Elementor plugin version 1.6.3 or earlier, as the plugin has been temporarily closed and is unavailable for download pending a full security review. Additionally, ensure that only trusted users have contributor-level access or higher, and monitor for any suspicious activity on pages using the Typewriter widget. Keep your WordPress and PHP versions updated to at least WordPress 6.3 and PHP 7.4 as required by the plugin. [1]

Useful 0 Not Useful 0