Essential Addons for Elementor Vulnerability Hits Over 2 Million WordPress Sites

Reliqus Marketing

29 March 2024

Wordpress Websites
By Ankit Bhatia
Founder & CEO

Recently, security researchers have uncovered a major vulnerability in the Essential Addons for Elementor plugin that has sent shockwaves through the WordPress community. 

This plugin, which is a popular choice for website builders, has been found to have a Stored Cross-Site Scripting (XSS) vulnerability, which has affected over 2 million websites. 

The vulnerability is due to flaws found in two widgets that are a part of the plugin. This alarming news serves as a wake-up call for website owners and developers to prioritize security measures and requires immediate action to prevent any further damage. 

Two Widgets That Lead To Vulnerabilities

  • Countdown Widget
  • Woo Product Carousel Widget

Essential Addons For Elementor

Essential Addons for Elementor is a powerful plugin designed to enhance the capabilities of the Elementor WordPress page builder. By integrating this addon, users gain access to a broad array of additional features and widgets, further simplifying the website creation process.

From advanced content elements to unique customization options, Essential Addons extends the functionality of Elementor. This makes it an indispensable tool for both novice and experienced web designers seeking to elevate their site’s aesthetics and user experience.

The Vulnerability Exposed

Wordfence, a leading security service for WordPress websites, revealed that Essential Addons for Elementor contains a Stored Cross-Site Scripting (XSS) vulnerability.

This vulnerability is particularly alarming as it enables attackers to embed malicious scripts directly into websites, which then execute in the browsers of visitors. Such scripts can hijack session cookies, allowing attackers unauthorized control over the website posing a severe security risk.

Stored XSS vulnerabilities, which stem from inadequate screening of input fields for text or images, rank among the most prevalent security threats, highlighting the critical nature of this particular vulnerability in affecting WordPress sites.

The vulnerability within the Essential Addons for Elementor plugin stemmed from two critical flaws: the failure to adequately sanitize inputs and the oversight in escaping output effectively. 

Plugins are expected to filter out harmful inputs, such as scripts, which could potentially harm the website or its users. Similarly, escaping output is crucial to prevent any output containing harmful data from being executed by a browser. 

Wordfence highlighted these issues as primary factors contributing to the vulnerability, underlining the need for rigorous security protocols in plugin development to safeguard against such weaknesses.

They warned about the countdown widget:

“The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget’s message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization and output escaping.

This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

“The Essential Addons for Elementor …plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping. “

Additional Insights:

Fake CVE Phishing Scam Tricks: A New Threat to WordPress Websites

How to Make Your WordPress Website Safe and Secure?

The Role of Authenticated Attackers

The term “authenticated attackers” refers to a specific scenario where an attacker must first obtain access credentials to the WordPress site, with at least a contributor level of permissions. 

This means the vulnerability is not immediately accessible to any external hacker but requires prior unauthorized access or manipulation to gain the necessary privileges. It underlines the importance of strict user role management and the potential risks of compromised user accounts within WordPress environments.

A Medium Level Threat, but a High-Level Concern – Updating Recommended

The security vulnerability identified within the Essential Addons for Elementor plugin has been officially categorized as a medium-level threat. It has been assigned a severity score of 6.4 out of a possible 10

This rating reflects a significant risk that, while not the most critical, still poses a considerable threat to the security and integrity of websites utilizing the affected plugin versions.

Users operating on Essential Addons for Elementor version 5.9.11 or lower are strongly advised to take immediate action by updating to the latest version, which is 5.9.13. This update is crucial for mitigating the risk and protecting websites from potential exploits related to this vulnerability. 

Although updating is crucial, additional measures should be taken to fortify your site’s security. We recommend reading our comprehensive guide on hardening your WordPress website’s security for further strategies to secure and protect your website from future vulnerabilities.

Why It’s Time to Invest in Continuous Malware Removal and Website Maintenance Services?

In the digital age, the security of your website is paramount. With vulnerabilities like the one found in Essential Addons for Elementor, it’s clear that threats evolve and emerge continuously. 

Malware and other malicious attacks can not only compromise your website’s integrity but also endanger your users’ security and trust. This is where the necessity for continuous malware removal and website maintenance services becomes evident.

  • Proactive Protection: Regular maintenance and continuous monitoring of your website can identify vulnerabilities and malware infections before they escalate into more severe problems. Early detection is key to preventing potential damage.
  • Maintaining User Trust: Users trust websites that are secure and perform reliably. A single security breach can significantly harm your brand’s reputation and user trust, which can be difficult and costly to rebuild.
  • Ensuring Compliance: Various industries have regulatory requirements regarding data protection and privacy. Regular website maintenance helps ensure that your site remains compliant with these regulations, avoiding potential legal and financial repercussions.
  • Optimal Performance: Beyond security, regular maintenance ensures that your website is running optimally. This includes updating software, optimizing databases, and ensuring that your site remains fast and accessible to your audience.

Reliqus Consulting to the Rescue: Your Partner in Web Security

Reliqus Consulting understands the importance of both proactive and reactive website security measures. Our comprehensive WordPress website malware removal and WordPress website maintenance services are designed to provide continuous protection against the ever-evolving landscape of cyber threats. 

By choosing us, you benefit from:

  • Expert Monitoring: Our team continuously monitors your website for any signs of vulnerability or malware infection, ensuring immediate action can be taken.
  • Regular Updates: We keep your website’s software up-to-date, closing security gaps and maintaining compatibility with the latest web standards.
  • Malware Removal: Should your website fall victim to malware, our experts will swiftly identify and remove the malicious software, mitigating any potential damage.
  • Performance Optimization: Alongside security, our maintenance services ensure that your website remains fast, efficient, and user-friendly, enhancing the overall user experience.

In today’s digital landscape, the cost of inaction can be much higher than the investment in security and maintenance. With Reliqus Consulting, you gain more than a service provider; you gain a partner dedicated to ensuring your website’s security and optimal performance.


The discovery of the Essential Addons for Elementor vulnerability underscores the precarious nature of website security in today’s digital era. It emphasizes not just the necessity for immediate action in the face of security threats, but also the importance of ongoing vigilance through continuous malware removal and website maintenance services. 

Partnering with a dedicated security provider like Reliqus Consulting offers peace of mind. It ensures that your site remains fortified against vulnerabilities, optimized for performance, and secure for your users.

In the realm of website management, proactive security measures are not an option; they are essential for safeguarding your digital assets and preserving your online reputation.

Ankit Bhatia

Founder & CEO at Reliqus

With 12+ years of experience building a web presence for 300+ businesses, Ankit understands how businesses can use technology to increase revenue.

Latest from the blog

What is HTTP 429 Status Code (Too Many Requests)?

Managing traffic efficiently is crucial in today’s interconnected digital landscape, where millions of websites and applications are access...

What is HTTP 428 Status Code (Precondition Required)?

For many website owners and developers, the HTTP 428 Status Code can be a source of frustration. Its implications are often misunderstood, leadin...

What is HTTP 426 Status Code (Upgrade Required)?

Have you ever encountered an HTTP 426 Status Code while browsing the web and wondered what it means? Don’t worry, you’re not alone. T...

What is HTTP 425 Status Code (Too Early)?

Are you familiar with the various HTTP status codes that pop up on your screen while browsing the web? You’ve likely encountered common one...