Astra Theme’s WordPress plugin fixed an XSS vulnerability that could lead to total site takeover and attacks on visitors.
A vulnerability in the Starter Templates – Elementor, Gutenberg, and Beaver Builder Templates plugin can allow contributor-level users to entirely replace any page on the site and implant malicious JavaScript at any time.
This vulnerability was first discovered on October 4th, 2021 by the Security experts at Wordfence. They found this vulnerability (CVE-2021-42360) in the Brainstorm Force Starter Templates plugin that allows an attacker to upload a malicious script that is then stored on the website itself.
The Starter Templates plugin lets site owners import pre-made templates and blocks for a variety of page builders, including Elementor.
Users with the edit posts capability, which includes Contributor-level users, could import blocks onto any page using the astra-page-elementor-batch-process AJAX action on sites that also have Elementor installed. While the elementor batch process function associated with this action did complete a nonce check, Contributor-level users may find the requisite _ajax nonce in the WordPress dashboard’s page source.
An attacker could create and host a malicious JavaScript block on a server they control, then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process, the url parameter pointing to their remotely-hosted malicious block, and an id parameter containing the post or page to overwrite.
The malicious JavaScript in the imported block may overwrite any post or page generated using Elementor, even published pages, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.
What is a Stored Cross-Site Scripting (XSS) Vulnerability?
Cross-site scripting is a form of a security flaw that has been discovered in several web applications. Attackers can employ XSS to inject client-side scripts into web pages that are being viewed by other users. An attacker could exploit a cross-site scripting vulnerability to get around access constraints like the same-origin policy. Because the submitted script is saved on the server of the targeted site, a stored XSS vulnerability is highly dangerous.
Affected versions
Starter Templates plugin versions 2.7.0 or older versions are affected by this vulnerability.
Mitigation
Customers are requested to update to Starter Templates version 2.7.1 or later to patch this vulnerability. For more information, please visit the announcement page.
Qualys Detection
Qualys customers can scan their devices with QID 730259 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://wordpress.org/plugins/astra-sites/#developers
https://www.techradar.com/in/news/a-million-wordpress-sites-are-at-risk-due-to-plugin-vulnerability
https://www.searchenginejournal.com/wordpress-starter-template-plugin-vulnerability/427028/
https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/