Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-Site Scripting (XSS) possible on Template editors #8435

Closed
enricoberti opened this issue Jun 28, 2019 · 2 comments

Comments

@enricoberti
Copy link

commented Jun 28, 2019

Prerequisites

  • I have searched for similar issues in both open and closed tickets and cannot find a duplicate.
  • The issue still exists against the latest stable version of Elementor.

Description

After running a Security Scan (IBM AppScan) on Elementor, we found that any HTML can be injected while accessing the template editor features, ie. Popups

Steps to reproduce

If you add any valid HTML to the elementor_library_type URL parameter it will be rendered in the page, ie.

/wp-admin/edit.php?post_type=elementor_library&tabs_group=popup&elementor_library_type=popup<b>hello<%2Fb>

will render this

Screenshot 2019-06-28 10 21 52

This is valid for any HTML tag, including <script>

Isolating the problem

  • This bug happens with only Elementor plugin active (and Elementor Pro).
  • This bug happens with a default WordPress theme active.
  • I can reproduce this bug consistently using the steps above.

Environment

System Info ```

== Server Environment ==
Operating System: Linux
Software: Apache
MySQL version: Percona Server (GPL), Release '28', Revision 'c335905' v5.7.25-28
PHP Version: 7.2.18-1+ubuntu18.04.1+deb.sury.org+1
PHP Max Input Vars: 1000
PHP Max Post Size: 100M
GD Installed: Yes
ZIP Installed: Yes
Write Permissions: All right
Elementor Library: Connected

== WordPress Environment ==
Version: 5.2.1
Site URL: https://hebtest.staging.wpengine.com
Home URL: http://hebtest.staging.wpengine.com
WP Multisite: No
Max Upload Size: 50 MB
Memory limit: 512M
Permalink Structure: /%postname%/
Language: en-US
Timezone: 0
Debug Mode: Active

== Theme ==
Name: astra-heb-child
Version:
Author:
Child Theme: Yes

== User ==
Role: administrator
WP Profile lang: en_US
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

== Active Plugins ==
Advanced Custom Fields PRO
Version: 5.8.0
Author: Elliot Condon

AnyWhere Elementor Pro
	Version: 2.12
	Author: WebTechStreet

Astra Pro
	Version: 1.8.2
	Author: Brainstorm Force

Disable Gutenberg
	Version: 1.8.1
	Author: Jeff Starr

Duplicate Post
	Version: 3.2.2
	Author: Enrico Battocchi

Elementor
	Version: 2.5.16
	Author: Elementor.com

Elementor Pro
	Version: 2.5.9
	Author: Elementor.com

FacetWP
	Version: 3.3.7
	Author: FacetWP, LLC

H-E-B Events
	Version: 1.0.0
	Author: Enrico Berti - Guidea

H-E-B Taleo Client Connect Importer
	Version: 1.0.0
	Author: Enrico Berti - Guidea

InGallery by Maxiolab
	Version: 1.38
	Author: Maxiolab

Insert Headers and Footers
	Version: 1.4.4
	Author: WPBeginner

Show modified Date in admin lists
	Version: 1.1
	Author: Apasionados.es

Ultimate Addons for Elementor
	Version: 1.12.0
	Author: Brainstorm Force

WP SVG images
	Version: 3.0
	Author: KubiQ

Yoast SEO
	Version: 11.3
	Author: Team Yoast

== Must-Use Plugins ==
Elementor Safe Mode
Version: 1.0.0
Author: Elementor.com

Force Strong Passwords - WPE Edition
	Version: 1.6.4
	Author: Jason Cosper

Stop long comments
	Version: 0.0.4
	Author: WPEngine

WP Engine System
	Version: 3.2.1
	Author: WP Engine

== Log ==
:
Log: showing 20 of 412019-04-03 10:15:02 [info] Elementor data updater process has been queued. [array (
'plugin' => 'Elementor Pro',
'from' => '2.4.3',
'to' => '2.5.3',
)]
2019-04-10 10:06:18 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.11',
'to' => '2.5.12',
)]
2019-04-10 10:06:19 [info] elementor-pro::elementor_pro_updater Started
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_posts Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_posts Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_portfolio Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_portfolio Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_products Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_products Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_form Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_form Finished
2019-04-10 10:06:19 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.3',
'to' => '2.5.5',
)]
2019-04-10 10:06:19 [info] Elementor data updater process has been queued. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.3',
'to' => '2.5.5',
)]
2019-04-14 10:13:13 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.12',
'to' => '2.5.13',
)]
2019-04-18 19:12:50 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.13',
'to' => '2.5.14',
)]
2019-04-30 15:32:03 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.5',
'to' => '2.5.6',
)]
2019-05-07 14:14:05 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.14',
'to' => '2.5.15',
)]
2019-05-07 14:14:06 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.6',
'to' => '2.5.8',
)]
2019-05-29 13:41:23 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.15',
'to' => '2.5.16',
)]
2019-05-29 13:41:23 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.8',
'to' => '2.5.9',
)]

JS: showing 1 of 1JS: 2019-05-06 12:49:56 [error X 83][https://hebtest.staging.wpengine.com/wp-content/plugins/elementor/assets/js/editor.min.js?ver=2.5.14:2:27759] Cannot read property 'get' of undefined

PHP: showing 1 of 1PHP: 2019-05-29 14:11:24 [warning X 1][/nas/content/live/hebtest/wp-content/plugins/elementor/includes/base/controls-stack.php::714] Illegal string offset 'type' [array (
'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]

</details>
@shilo-ey

This comment has been minimized.

Copy link
Collaborator

commented Jun 30, 2019

Thanks @enricoberti

We will take a look and harden the security for this screen.

@shilo-ey

This comment has been minimized.

Copy link
Collaborator

commented Jul 9, 2019

This issue has been resolved in Elementor v2.6.0

Feel free to update

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.