Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Pack Elementor addon plugin for WordPress, specifically in the Typing Letter widget. It occurs because the plugin does not properly sanitize or escape user-supplied input attributes. As a result, authenticated users with contributor-level access or higher can inject malicious scripts into pages. These scripts execute whenever any user accesses the infected page, potentially compromising site security.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability allows attackers with contributor-level access or above to inject arbitrary web scripts into pages. This can lead to unauthorized actions such as stealing user credentials, hijacking user sessions, defacing the website, or distributing malware to visitors. Additionally, Resource 1 highlights a related severe issue where certain plugin actions can cause complete deletion of site content with no recovery option, indicating potential for significant data loss and site disruption. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include updating the Pack Elementor addon plugin to version 2.1.6 or later, as the plugin was closed and updated to address critical issues. Additionally, avoid using the Typing Letter widget in versions up to 2.1.5 and restrict contributor-level access or higher until the plugin is fully reviewed and patched. Consider backing up your site data regularly to prevent data loss due to potential exploitation or plugin errors. [1]

Useful 0 Not Useful 0