Prerequisites
Description
After running a Security Scan (IBM AppScan) on Elementor, we found that any HTML can be injected while accessing the template editor features, ie. Popups
Steps to reproduce
If you add any valid HTML to the elementor_library_type URL parameter it will be rendered in the page, ie.
/wp-admin/edit.php?post_type=elementor_library&tabs_group=popup&elementor_library_type=popup<b>hello<%2Fb>
will render this
This is valid for any HTML tag, including <script>
Isolating the problem
Environment
System Info
```
== Server Environment ==
Operating System: Linux
Software: Apache
MySQL version: Percona Server (GPL), Release '28', Revision 'c335905' v5.7.25-28
PHP Version: 7.2.18-1+ubuntu18.04.1+deb.sury.org+1
PHP Max Input Vars: 1000
PHP Max Post Size: 100M
GD Installed: Yes
ZIP Installed: Yes
Write Permissions: All right
Elementor Library: Connected
== WordPress Environment ==
Version: 5.2.1
Site URL: https://hebtest.staging.wpengine.com
Home URL: http://hebtest.staging.wpengine.com
WP Multisite: No
Max Upload Size: 50 MB
Memory limit: 512M
Permalink Structure: /%postname%/
Language: en-US
Timezone: 0
Debug Mode: Active
== Theme ==
Name: astra-heb-child
Version:
Author:
Child Theme: Yes
== User ==
Role: administrator
WP Profile lang: en_US
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
== Active Plugins ==
Advanced Custom Fields PRO
Version: 5.8.0
Author: Elliot Condon
AnyWhere Elementor Pro
Version: 2.12
Author: WebTechStreet
Astra Pro
Version: 1.8.2
Author: Brainstorm Force
Disable Gutenberg
Version: 1.8.1
Author: Jeff Starr
Duplicate Post
Version: 3.2.2
Author: Enrico Battocchi
Elementor
Version: 2.5.16
Author: Elementor.com
Elementor Pro
Version: 2.5.9
Author: Elementor.com
FacetWP
Version: 3.3.7
Author: FacetWP, LLC
H-E-B Events
Version: 1.0.0
Author: Enrico Berti - Guidea
H-E-B Taleo Client Connect Importer
Version: 1.0.0
Author: Enrico Berti - Guidea
InGallery by Maxiolab
Version: 1.38
Author: Maxiolab
Insert Headers and Footers
Version: 1.4.4
Author: WPBeginner
Show modified Date in admin lists
Version: 1.1
Author: Apasionados.es
Ultimate Addons for Elementor
Version: 1.12.0
Author: Brainstorm Force
WP SVG images
Version: 3.0
Author: KubiQ
Yoast SEO
Version: 11.3
Author: Team Yoast
== Must-Use Plugins ==
Elementor Safe Mode
Version: 1.0.0
Author: Elementor.com
Force Strong Passwords - WPE Edition
Version: 1.6.4
Author: Jason Cosper
Stop long comments
Version: 0.0.4
Author: WPEngine
WP Engine System
Version: 3.2.1
Author: WP Engine
== Log ==
:
Log: showing 20 of 412019-04-03 10:15:02 [info] Elementor data updater process has been queued. [array (
'plugin' => 'Elementor Pro',
'from' => '2.4.3',
'to' => '2.5.3',
)]
2019-04-10 10:06:18 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.11',
'to' => '2.5.12',
)]
2019-04-10 10:06:19 [info] elementor-pro::elementor_pro_updater Started
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_posts Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_posts Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_portfolio Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_portfolio Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_products Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_products Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_form Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_form Finished
2019-04-10 10:06:19 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.3',
'to' => '2.5.5',
)]
2019-04-10 10:06:19 [info] Elementor data updater process has been queued. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.3',
'to' => '2.5.5',
)]
2019-04-14 10:13:13 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.12',
'to' => '2.5.13',
)]
2019-04-18 19:12:50 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.13',
'to' => '2.5.14',
)]
2019-04-30 15:32:03 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.5',
'to' => '2.5.6',
)]
2019-05-07 14:14:05 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.14',
'to' => '2.5.15',
)]
2019-05-07 14:14:06 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.6',
'to' => '2.5.8',
)]
2019-05-29 13:41:23 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.15',
'to' => '2.5.16',
)]
2019-05-29 13:41:23 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.8',
'to' => '2.5.9',
)]
JS: showing 1 of 1JS: 2019-05-06 12:49:56 [error X 83][https://hebtest.staging.wpengine.com/wp-content/plugins/elementor/assets/js/editor.min.js?ver=2.5.14:2:27759] Cannot read property 'get' of undefined
PHP: showing 1 of 1PHP: 2019-05-29 14:11:24 [warning X 1][/nas/content/live/hebtest/wp-content/plugins/elementor/includes/base/controls-stack.php::714] Illegal string offset 'type' [array (
'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]
Prerequisites
Description
After running a Security Scan (IBM AppScan) on Elementor, we found that any HTML can be injected while accessing the template editor features, ie. Popups
Steps to reproduce
If you add any valid HTML to the
elementor_library_typeURL parameter it will be rendered in the page, ie./wp-admin/edit.php?post_type=elementor_library&tabs_group=popup&elementor_library_type=popup<b>hello<%2Fb>will render this
This is valid for any HTML tag, including <script>
Isolating the problem
Environment
System Info
```== Server Environment ==
Operating System: Linux
Software: Apache
MySQL version: Percona Server (GPL), Release '28', Revision 'c335905' v5.7.25-28
PHP Version: 7.2.18-1+ubuntu18.04.1+deb.sury.org+1
PHP Max Input Vars: 1000
PHP Max Post Size: 100M
GD Installed: Yes
ZIP Installed: Yes
Write Permissions: All right
Elementor Library: Connected
== WordPress Environment ==
Version: 5.2.1
Site URL: https://hebtest.staging.wpengine.com
Home URL: http://hebtest.staging.wpengine.com
WP Multisite: No
Max Upload Size: 50 MB
Memory limit: 512M
Permalink Structure: /%postname%/
Language: en-US
Timezone: 0
Debug Mode: Active
== Theme ==
Name: astra-heb-child
Version:
Author:
Child Theme: Yes
== User ==
Role: administrator
WP Profile lang: en_US
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
== Active Plugins ==
Advanced Custom Fields PRO
Version: 5.8.0
Author: Elliot Condon
== Must-Use Plugins ==
Elementor Safe Mode
Version: 1.0.0
Author: Elementor.com
== Log ==
:
Log: showing 20 of 412019-04-03 10:15:02 [info] Elementor data updater process has been queued. [array (
'plugin' => 'Elementor Pro',
'from' => '2.4.3',
'to' => '2.5.3',
)]
2019-04-10 10:06:18 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.11',
'to' => '2.5.12',
)]
2019-04-10 10:06:19 [info] elementor-pro::elementor_pro_updater Started
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_posts Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_posts Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_portfolio Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_portfolio Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_products Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_products Finished
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_form Start
2019-04-10 10:06:19 [info] Elementor Pro/Upgrades - _v_2_5_4_form Finished
2019-04-10 10:06:19 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.3',
'to' => '2.5.5',
)]
2019-04-10 10:06:19 [info] Elementor data updater process has been queued. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.3',
'to' => '2.5.5',
)]
2019-04-14 10:13:13 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.12',
'to' => '2.5.13',
)]
2019-04-18 19:12:50 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.13',
'to' => '2.5.14',
)]
2019-04-30 15:32:03 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.5',
'to' => '2.5.6',
)]
2019-05-07 14:14:05 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.14',
'to' => '2.5.15',
)]
2019-05-07 14:14:06 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.6',
'to' => '2.5.8',
)]
2019-05-29 13:41:23 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor',
'from' => '2.5.15',
'to' => '2.5.16',
)]
2019-05-29 13:41:23 [info] Elementor data updater process has been completed. [array (
'plugin' => 'Elementor Pro',
'from' => '2.5.8',
'to' => '2.5.9',
)]
JS: showing 1 of 1JS: 2019-05-06 12:49:56 [error X 83][https://hebtest.staging.wpengine.com/wp-content/plugins/elementor/assets/js/editor.min.js?ver=2.5.14:2:27759] Cannot read property 'get' of undefined
PHP: showing 1 of 1PHP: 2019-05-29 14:11:24 [warning X 1][/nas/content/live/hebtest/wp-content/plugins/elementor/includes/base/controls-stack.php::714] Illegal string offset 'type' [array (
'trace' => '
#0: Elementor\Core\Logger\Manager -> shutdown()
',
)]