Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

WordFence - 

On October 4, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for the Starter Templates plugin, which is installed on over 1 Million WordPress websites. The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”, but we are referring to it in this post as the “Starter Templates Plugin” to avoid confusion.

Versions 2.7.0 and older of this plugin contain a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

The plugin’s developer responded to us, and we provided full disclosure of the vulnerability details the next day, on October 5, 2021. A patched version of the Starter Templates plugin, version 2.7.1, was released on October 7, 2021.

We released a firewall rule to protect Wordfence Premium customers on October 4, 2021. Sites running the free version of Wordfence received the same protection 30 days later, on November 3, 2021.

Description: Authenticated Block Import to Stored XSS
Affected Plugin: Starter Templates — Elementor, Gutenberg & Beaver Builder Templates
Plugin Slug: astra-sites
Affected Versions: <= 2.7.0
CVE ID: CVE-2021-42360
CVSS Score: 7.6(High)
Researcher/s: Ramuel Gall
Fully Patched Version: 2.7.1


Read More: https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/