A major security flaw in Starter Templates Plugin could allow underprivileged authenticated users to import blocks and run malicious scripts on target websites. The developers have patched the bug following the bug report. Hence, now, users must ensure updating their sites with the plugin version 2.7.1 or later.
Starter Templates Plugin Flaw
Team Wordfence has recently shared details about a severe security flaw in the Starter Templates plugin.
Officially named “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates,” it’s a helpful plugin that facilitates swift website build-up by importing pre-made site templates. This plugin currently boasts over a million active installations. Hence, Exploiting the vulnerability would also risk over a million websites.
Regarding the vulnerability, Wordfence described in the post that the bug predominantly affected the sites with Elementor page builder. In this case, all authenticated users with
edit_posts capability could import blocks on any website page via the
astra-page-elementor-batch-process AJAX action.
elementor_batch_processfunction associated with this action did perform a nonce check, the required
_ajax_noncewas also available to Contributor-level users in the page source of the WordPress dashboard.
Hence, an adversary with authenticated access could craft a malicious block on its own servers and then import it here.
urlparameter pointed to their remotely-hosted malicious block, as well as an
idparameter containing the post or page to overwrite.
This would allow executing the malicious scripts on the target site, leading to various actions such as overwriting published pages. In turn, this would lead to stored XSS condition as the script would run for everyone visiting the infected webpage.
Patched Version Released
Wordfence discovered the vulnerability in the plugin in October, after which they reached out to the plugin team. This high-severity bug (CVSS 7.6) affected all plugin versions from 2.7.0 and earlier.
Consequently, the developers addressed the flaw and released the patch with version 2.7.1.
Nonetheless, they have made more fixes after this release, consequently rolling out version 2.7.5 (according to the changelog on the plugin page). So now, all Starter Templates plugin users should update their websites with the latest release to get all the fixes.