Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Unlimited Elements For Elementor WordPress plugin. It occurs via SVG file uploads due to insufficient input sanitization and output escaping. An attacker can upload a malicious SVG file containing arbitrary web scripts that will execute whenever a user accesses the SVG file. Exploitation requires a form with a file upload field created using the premium version of the plugin, but once the form exists, the vulnerability can be exploited even if the premium version is deactivated or uninstalled.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow unauthenticated attackers to inject and execute arbitrary scripts in the context of the affected website. This can lead to theft of user data, session hijacking, defacement, or other malicious actions performed on behalf of users who access the malicious SVG file. It compromises the integrity and security of the website and its users.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should ensure that any forms with file upload fields created using the Unlimited Elements For Elementor plugin are removed or disabled, especially if they allow SVG file uploads. Additionally, update the plugin to a version later than 2.0 once available, or apply any official patches. Avoid using the premium version to create such forms, and consider disabling or uninstalling the plugin if the vulnerability cannot be otherwise mitigated.

Useful 0 Not Useful 0