Starter Templates – Elementor, Gutenberg & Beaver Builder Templates plugin from WordPress theme editors Astra contains a vulnerability affecting over one million websites. The exploit allows an attacker to download malicious scripts, organize a total takeover of the site, and attack visitors of the vulnerable website.

Starter Templates – Elementor, Gutenberg and Beaver Builder Templates

The Starter Templates plugin is published by Brainstorm Force, the creators of the ever popular Astra WordPress theme. The plugin allows users to use over 280 WordPress templates which help speed up website development.

The templates are designed to be compatible with Elementor, Gutenberg, Brizy, and Beaver Builder, as well as the Astra theme.

The plugin is installed on over a million websites.

Vulnerability of Stored Cross-Site Scripting (XSS)

The Brainstorm Force Starter Templates plugin was discovered by Wordfence security researchers to contain a type of vulnerability that allows an attacker to download malicious script which is in turn stored on the website itself.

A stored XSS vulnerability is particularly troublesome because the downloaded script is stored on the server of the attacked site itself.

The nonprofit Open Web Application Security Project (OWASP) describes the severity of this kind of XSS vulnerability on their site:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message board, in a visitor log, in a comment field, etc.”

The victim then retrieves the malicious script from the server when it requests the stored information.

Website takeover and attacks on website visitors

The vulnerability could result in a complete takeover of the site and use the vulnerable website to launch attacks against all site visitors.

According to the Wordfence report:

“An attacker could create and host a block containing malicious JavaScript on a server they controlled, then use it to overwrite any post or page…

Any post or page created with Elementor, including published pages, could be overwritten by the imported block, and malicious JavaScript in the imported block would be executed in the browsers of all visitors to that page.

This could be used to redirect site visitors to malicious websites, or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to a takeover of the site.

Starter template plugin fixed

The editors of the Starter Templates plugin were notified by Wordfence of the vulnerability and they quickly patched the plugin in version 2.7.1.

The public changelog for the Starter Templates plugin accurately saves the patch:

v2.7.1 – 7-October-2021
– Improved security: Validate the URL of the site before processing the import request.
– Improved security: updated the right file download permission before importing images.

An honest changelog like the one published by Brainstorm Force is a sign of a quality editor and it’s great to see them open about fixing security issues.

Wordfence advises publishers to update their plugin

Wordfence recommends that all publishers using this plugin update to the latest version of the plugin to 2.7.5 as this latest version also contains important bug fixes.

Quote

Read Wordfence’s Bootstrap Model Vulnerability Report

Over 1 Million Sites Affected by Vulnerability in Starter Templates Plugin