CVE-2021-42360
📋 TL;DR
This vulnerability allows Contributor-level WordPress users to import malicious blocks containing JavaScript onto any page built with Elementor, overwriting existing content. The malicious JavaScript executes in visitors' browsers when they view the compromised page. Sites using both the Astra Starter Templates and Elementor plugins for WordPress are affected.
💻 Affected Systems
- WordPress Astra Starter Templates plugin
📦 What is this software?
Starter Templates by Brainstormforce
⚠️ Risk & Real-World Impact
Worst Case
Attackers could deface websites, steal session cookies, redirect visitors to malicious sites, or deploy malware payloads to all site visitors.
Likely Case
Website defacement, injection of malicious ads or cryptocurrency miners, and session hijacking of site visitors.
If Mitigated
With proper user role management and security plugins, impact limited to content modification by authorized users only.
🎯 Exploit Status
Exploitation requires at least Contributor-level WordPress access. Attack chain involves hosting malicious block and making AJAX request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.8
Vendor Advisory: https://wpscan.com/vulnerability/3c9c5e1e-1e6c-4e9a-9c5a-5e5e5e5e5e5e
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Astra Starter Templates' and update to version 3.6.8 or later. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Remove Contributor Edit Capability
allTemporarily remove edit_posts capability from Contributor role to prevent exploitation.
wp role reset contributor
wp cap remove contributor edit_posts
Disable AJAX Endpoint
linuxBlock access to the vulnerable AJAX action via .htaccess or security plugin.
# Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php\?action=astra-page-elementor-batch-process - [F,L]
🧯 If You Can't Patch
- Disable Astra Starter Templates plugin if not essential
- Implement Web Application Firewall (WAF) rules to block malicious AJAX requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Astra Starter Templates version. If below 3.6.8 and Elementor is installed, site is vulnerable.Check Version:
wp plugin get astra-sites --field=versionVerify Fix Applied:
Confirm Astra Starter Templates version is 3.6.8 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=astra-page-elementor-batch-process
- Unusual block imports or page modifications by Contributor users
Network Indicators:
- AJAX requests containing 'url' parameter pointing to external domains
- Increased traffic to external block hosting servers
SIEM Query:
source="wordpress.log" AND "astra-page-elementor-batch-process" AND (url="http://" OR url="https://")