Astra Theme’s WordPress plugin fixed an XSS vulnerability that could lead to total site takeover and attacks on visitors.
This vulnerability was first discovered on October 4th, 2021 by the Security experts at Wordfence. They found this vulnerability (CVE-2021-42360) in the Brainstorm Force Starter Templates plugin that allows an attacker to upload a malicious script that is then stored on the website itself.
The Starter Templates plugin lets site owners import pre-made templates and blocks for a variety of page builders, including Elementor.
Users with the edit posts capability, which includes Contributor-level users, could import blocks onto any page using the astra-page-elementor-batch-process AJAX action on sites that also have Elementor installed. While the elementor batch process function associated with this action did complete a nonce check, Contributor-level users may find the requisite _ajax nonce in the WordPress dashboard’s page source.
What is a Stored Cross-Site Scripting (XSS) Vulnerability?
Cross-site scripting is a form of a security flaw that has been discovered in several web applications. Attackers can employ XSS to inject client-side scripts into web pages that are being viewed by other users. An attacker could exploit a cross-site scripting vulnerability to get around access constraints like the same-origin policy. Because the submitted script is saved on the server of the targeted site, a stored XSS vulnerability is highly dangerous.
Starter Templates plugin versions 2.7.0 or older versions are affected by this vulnerability.
Customers are requested to update to Starter Templates version 2.7.1 or later to patch this vulnerability. For more information, please visit the announcement page.
Qualys customers can scan their devices with QID 730259 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.