CVE-2021-42360 : What You Need to Know
Learn about CVE-2021-42360 affecting Starter Templates plugin 2.7.0 for WordPress. Understand the impact, technical details, and mitigation steps to prevent Stored XSS attacks.
Starter Templates — Elementor, Gutenberg & Beaver Builder Templates <= 2.7.0 Authenticated Block Import to Stored XSS
Understanding CVE-2021-42360
What is CVE-2021-42360?
Starter Templates plugin for WordPress version 2.7.0 allowed users with specific capabilities to import malicious blocks containing JavaScript onto any page, leading to Stored Cross-Site Scripting (XSS) attacks.
The Impact of CVE-2021-42360
The vulnerability could enable an attacker to overwrite posts/pages built with Elementor, including published pages, by importing a malicious block that executes JavaScript, affecting over a million sites.
Technical Details of CVE-2021-42360
Vulnerability Description
Users, including Contributors, could leverage the astra-page-elementor-batch-process action to import malicious blocks onto pages, facilitating XSS attacks.
Affected Systems and Versions
- Platforms: WordPress
- Product: Starter Templates — Elementor, Gutenberg & Beaver Builder Templates
- Vendor: BrainStormForce
- Version: 2.7.0 (custom)
Exploitation Mechanism
The exploit involved hosting a block with JavaScript on a controlled server and overwriting posts/pages through AJAX requests pointing to the malicious block.
Mitigation and Prevention
Immediate Steps to Take
- Update the Starter Templates plugin to version > 2.7.0
- Monitor for any unauthorized changes to posts/pages
- Restrict permissions for non-trusted users
Long-Term Security Practices
- Regularly audit plugins for vulnerabilities
- Educate users about safe content management practices
- Implement web application firewalls
Patching and Updates
Apply security patches promptly to prevent exploitation of known vulnerabilities.