Elementor WordPress Contact Form Plugin Vulnerability Exposes Up To 200,000 Sites via @sejournal, @martinibuster
The United States National Vulnerability Database published an advisory of an XSS vulnerability affecting the popular Metform Elementor Contact Form Builder, which exposes over 200,000 active installs to the vulnerability.
Stored Cross Site Scripting (XSS)
A stored XSS vulnerability is one in which a website fails to properly secure an input, like a submission form, which allows a hacker to upload a malicious script to the server.
The script is then downloaded and executed by a site visitors browser, allowing the hacker to steal the visitors cookies or gain their website permissions, which can then lead to a website takeover.
The non-profit Open Worldwide Application Security Project (OWASP) describes the Cross Site Scripting vulnerability: