A major security flaw in Starter Templates Plugin could allow underprivileged authenticated users to import blocks and run malicious scripts on target websites. The developers have patched the bug following the bug report. Hence, now, users must ensure updating their sites with the plugin version 2.7.1 or later.
Starter Templates Plugin Flaw
Team Wordfence has recently shared details about a severe security flaw in the Starter Templates plugin.
Officially named “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates,” it’s a helpful plugin that facilitates swift website build-up by importing pre-made site templates. This plugin currently boasts over a million active installations. Hence, Exploiting the vulnerability would also risk over a million websites.
Regarding the vulnerability, Wordfence described in the post that the bug predominantly affected the sites with Elementor page builder. In this case, all authenticated users with edit_posts
capability could import blocks on any website page via the astra-page-elementor-batch-process
AJAX action.
As elaborated,
While the
elementor_batch_process
function associated with this action did perform a nonce check, the required_ajax_nonce
was also available to Contributor-level users in the page source of the WordPress dashboard.
Hence, an adversary with authenticated access could craft a malicious block on its own servers and then import it here.
An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the
action
set toastra-page-elementor-batch-process
and theurl
parameter pointed to their remotely-hosted malicious block, as well as anid
parameter containing the post or page to overwrite.
This would allow executing the malicious scripts on the target site, leading to various actions such as overwriting published pages. In turn, this would lead to stored XSS condition as the script would run for everyone visiting the infected webpage.
Patched Version Released
Wordfence discovered the vulnerability in the plugin in October, after which they reached out to the plugin team. This high-severity bug (CVSS 7.6) affected all plugin versions from 2.7.0 and earlier.
Consequently, the developers addressed the flaw and released the patch with version 2.7.1.
Nonetheless, they have made more fixes after this release, consequently rolling out version 2.7.5 (according to the changelog on the plugin page). So now, all Starter Templates plugin users should update their websites with the latest release to get all the fixes.