NewsWeb DevelopmentWordPress

WordPress Template Plugin Vulnerability Affects Over One Million Websites

Astra Theme's WordPress plugin patched an XSS vulnerability that could lead to total site takeover and attacks on site visitors.

The Starter Templates — Elementor, Gutenberg, and Beaver Builder Templates plugin by the Astra WordPress theme’s authors contain a vulnerability that affects over a million websites. An attacker can use the exploit to upload malicious scripts, stage a total site takeover, and attack visitors to the vulnerable website.

Elementor, Gutenberg, and Beaver Builder Starter Templates

Brainstorm Force, the creators of the wildly popular Astra WordPress theme, released the Starter Templates plugin. The plugin enables users to use over 280 WordPress templates, which aid in the development of websites.

The templates have been designed to work with Elementor, Gutenberg, Brizy, and Beaver Builder, as well as the Astra theme.

Over a million websites have the plugin installed.

Read The Best Music Streaming Apps for iPhones.

Vulnerability for Stored Cross-Site Scripting (XSS)

Wordfence security researchers discovered a type of vulnerability in the Brainstorm Force Starter Templates plugin that allows an attacker to upload a malicious script that is then stored on the website itself.

Because the uploaded script is stored on the server of the attacked site, a Stored XSS vulnerability is especially troublesome.

On their website, the non-profit Open Web Application Security Project (OWASP) describes the gravity of this type of XSS vulnerability:

“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc.

The victim then retrieves the malicious script from the server when it requests the stored information.”

Attacks on Website Visitors and Website Takeover

The vulnerability could result in a complete site takeover, as well as the use of the vulnerable website to launch attacks on all site

According to a Wordfence report:

“An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page…

Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

This could be used to redirect site visitors to malicious websites, or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to site takeover.”

Starter Templates Plugin has been repaired

Wordfence notified the Starter Templates plugin’s publishers of the vulnerability, and the plugin was promptly patched in version 2.7.1.

The patch is accurately recorded in the Starter Templates plugin’s public changelog:

v2.7.1 – 7-October-2021
– Security Improvement: Validate the site URL before processing the import request.
– Security Improvement: Updated right file upload permission before importing images.

An honest changelog, such as the one published by Brainstorm Force, is a sign of a good publisher, and it’s great to see them being open about addressing security issues.

Wordfence Recommends Publishers Update Their Plugin

Wordfence recommends that all publishers who use this plugin update to the most recent version, 2.7.5 because it contains important bug fixes.

Need help with our free SEO tools? Try our free Link Analyzer, Website Links Count Checker, Link Price Calculator.

Learn more from WordPress and read Vulnerability in the WordPress Plugin OptinMonster Affects +1 Million Sites.

Related Articles


  1. FiveM Zone: The #1 FiveM Mod Shop | FiveM Shop

    Download Best quality FiveM Mods for your Roleplay Server from our FiveM Shop. Find the best scripts and mods on our FiveM Store! #FiveM-Zone.

    Get the Excellent FiveM Server Pack at Discount Price. Explore Trusted FiveM Store to Buy FiveM Mods, FiveM Scripts, FiveM EUP, FiveM Vehicles, FiveM Maps & FiveM ESX Scripts, FiveM VRP Scripts, FiveM GTA5, FiveM Discords, FiveM Jail Scripts, FiveM QBUS Scripts, FiveM Nopixel, FiveM Patreon, etc.

    Our official site:
    Best FiveM Shop
    FiveM Shop
    FiveM Zone | Best FiveM Store

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Don't miss the best oppertunities.