The Wordfence Threat Intelligence team has discovered a vulnerability in the Starter Templates plugin with over 1 million active installations.

The Starter Templates plugin allows site owners to import prebuilt templates and blocks for various page builders, including Elementor.

On sites that also had Elementor installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action.

While the elementor_batch_process function associated with this action did perform a nonce check, the required _ajax_nonce was also available to Contributor-level users in the page source of the WordPress dashboard.

public function elementor_batch_process() {
 
    // Verify Nonce.
    check_ajax_referer( 'astra-sites', '_ajax_nonce' );
 
    if ( ! current_user_can( 'edit_posts' ) ) {
        wp_send_json_error( __( 'You are not allowed to perform this action', 'astra-sites' ) );
    }
 
    if ( ! isset( $_POST['url'] ) ) {
        wp_send_json_error( __( 'Invalid API URL', 'astra-sites' ) );
    }
 
    $response = wp_remote_get( $_POST['url'] );
 
    if ( is_wp_error( $response ) ) {
        wp_send_json_error( wp_remote_retrieve_body( $response ) );
    }
 
    $body = wp_remote_retrieve_body( $response );
    $data = json_decode( $body, true );
    if ( ! isset( $data['post-meta']['_elementor_data'] ) ) {
        wp_send_json_error( __( 'Invalid Post Meta', 'astra-sites' ) );
    }
 
    $meta    = json_decode( $data['post-meta']['_elementor_data'], true );
    $post_id = $_POST['id'];
 
    if ( empty( $post_id ) || empty( $meta ) ) {
        wp_send_json_error( __( 'Invalid Post ID or Elementor Meta', 'astra-sites' ) );
    }
 
    if ( isset( $data['astra-page-options-data'] ) && isset( $data['astra-page-options-data']['elementor_load_fa4_shim'] ) ) {
        update_option( 'elementor_load_fa4_shim', $data['astra-page-options-data']['elementor_load_fa4_shim'] );
    }
 
    $import      = new \Elementor\TemplateLibrary\Astra_Sites_Elementor_Pages();
    $import_data = $import->import( $post_id, $meta );
 
    wp_send_json_success( $import_data );
}

An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the post or page to overwrite.

Any post or page that had been built with Elementor, including published pages, could be overwritten by the imported block, and the malicious JavaScript in the imported block would then be executed in the browser of any visitors to that page.

This could be used to redirect site visitors to malicious websites or hijack an administrator’s session in order to create a new malicious administrator or add a backdoor to the site, leading to site takeover.

We strongly recommend updating to the latest version of the plugin available immediately, which is 2.7.5 as of this writing, since it contains additional bug fixes.