Apr 2 2024
Google Discontinues Translate Community Contribution Feature via @sejournal, @MattGSouthern

Google announced that it’s shutting down the Contribute feature for Google Translate, which allowed users to suggest translations to improve the tool’s quality.

The decision comes as Google Translate has seen significant advancements in recent years, mainly due to the evolution and learning of its underlying systems.

The Launch Of The Contribute Feature

Launched in 2014, the Contribute feature was designed to leverage the knowledge of language enthusiasts and native speakers to enhance translations for the 80 languages supported by Google Translate.

Users could participate in the Translate Community by generating new translations, rating existing ones, and providing feedback on improving the service.

In a statement, Google acknowledged the value of user contributions, saying, “When Contribute first launched, real speakers often provided helpful translation suggestions when Translate missed the mark.”

However, Google believes that the improvements made to the service have removed the need for this feature.

Now. when navigating to translate.google.com and clicking on Contribute, you’ll see a message about its discontinuation:

New System For User Feedback

Moving forward, Google Translate users can provide feedback directly through the Android and iOS apps and on the desktop version when they feel a translation could be improved.

Google believes this new system will maintain the quality of the service while reducing the reliance on the Contribute feature.

When the feature was first introduced, it was seen as an innovative way to engage users and tap into the collective knowledge of language communities worldwide.

As Google Translate matured, the company developed machine learning techniques, such as neural machine translation, which greatly enhanced the accuracy and fluency of translations.

These technological advancements allow Google to provide higher-quality translations without relying as much on user contributions.

Looking Ahead

While the Contribute feature may be gone, Google remains committed to delivering accurate and reliable translations.

Google’s innovation in language technology means Translate will continue to be a valuable tool for breaking down language barriers and facilitating global communication.

FAQ

How does Google plan to maintain the quality of its translations after discontinuing the Contribute feature?

Google intends to sustain the quality of its translation services through the following means:

  • Continued advancement in machine learning, including neural machine translation technology, enables higher-quality translations.
  • Implement a new feedback system where users can report translation issues directly via Google Translate’s Android and iOS apps and the desktop version.

What was the original purpose of Google Translate’s Contribute feature, and how has it evolved?

The Contribute feature was established with these objectives and has evolved as follows:

  • Launched in 2014 to engage language enthusiasts and native speakers in enhancing translation quality for 80 languages.
  • Provided a platform for users to suggest new translations, rate existing ones, and offer optimization feedback.
  • It evolved with Google’s language technology to the point where user-generated contributions became less critical due to improved machine learning techniques.

Featured Image: Mojahid Mottakin/Shutterstock

Ecommerce MGMT 0 Comments
Apr 2 2024
XSS Vulnerability Affects Beaver Builder WordPress Page Builder via @sejournal, @martinibuster

The popular Beaver Builder WordPress Page Builder was found to contain an XSS vulnerability that can allow an attacker to inject scripts into the website that will run when a user visits a webpage.

Beaver Builder

Beaver Builder is a popular plugin that allows anyone to create a professional looking website using an easy to use drag and drop interface. Users can start with a predesigned template or create a website from scratch.

Stored Cross Site Scripting (XSS) Vulnerability

Security researchers at Wordfence published an advisory about an XSS vulnerability affecting the page builder plugin. An XSS vulnerability is typically found in a part of a theme or plugin that allows user input. The flaw arises when there is insufficient filtering of what can be input (a process called input sanitization). Another flaw that leads to an XSS is insufficient output escaping, which is a security measure on the output of a plugin that prevents harmful scripts from passing to a website browser.

This specific vulnerability is called a Stored XSS. Stored means that an attacker is able to inject a script directly onto the webs server. This is different from a reflected XSS which requires a victim to click a link to the attacked website in order to execute a malicious script. A stored XSS (as affects the Beaver Builder), is generally considered to be more dangerous than a reflected XSS.

The security flaws that gave rise to an XSS vulnerability in the Beaver Builder were due to insufficient input sanitization and output escaping.

Wordfence described the vulnerability:

“The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Button Widget in all versions up to, and including, 2.8.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The vulnerability is rated 6.4, a medium level threat. Attackers must gain at least contributor-level permission levels in order to be able to launch an attack, which makes this vulnerability a little harder to exploit.

The official Beaver Builder changelog, which documents what’s contained in an update, notes that a patch was issued in version 2.8.0.7.

The changelog notes:

“Fix XSS issue in Button & Button Group Modules when using lightbox”

Recommended action: It’s generally a good practice to update and patch a vulnerability before an attacker is able to exploit it. It’s a best-practice to stage the site first before pushing an update live in case that the updated plugin conflicts with another plugin or theme.

Read the Wordfence advisory:

Beaver Builder – WordPress Page Builder <= 2.8.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button

See also:

Featured Image by Shutterstock/Prostock-studio

Ecommerce MGMT 0 Comments
Apr 1 2024
OpenAI Announces Instant-Use ChatGPT—No Login Required via @sejournal, @martinibuster

ChatGPT announced that as of today it is rolling out the ability for anyone to use it without having to sign up or log into the service. Aside from some missing features, the exact same functionality is available in the free service that was previously available to users who signed up for a free account.

Mainstream media is going to talk about how it uses data for training but that’s not the big news here. What’s significant is that it is one step in the direction of eating Google’s lunch by fulfilling Google’s own mission statement that prescribes organizing “the world’s information and make it universally accessible and useful.”

Use ChatGPT Instantly

OpenAI is rolling out availability of ChatGPT 3.5 to the public on an instant basis without having to sign in or register with the service. Using ChatGPT is now as easy as using a search engine like Google.

The announcement explained:

“Starting today, you can use ChatGPT instantly, without needing to sign-up. We’re rolling this out gradually, with the aim to make AI accessible to anyone curious about its capabilities.”

Shared Content May Be Used For Training

OpenAI noted that content that’s shared in ChatGPT may be used for training the model but that there is a way to turn this off through the Settings.

But at the moment there is no clear way to access those settings for turning off using the content for training in the instant ChatGPT.

The official statement on data use:

“We may use what you provide to ChatGPT to improve our models for everyone. If you’d like, you can turn this off through your Settings – whether you create an account or not. Learn more about how we use content to train our models and your choices in our Help Center.”

There is also a notice beneath the chat window:

“By sending a message, you agree to our Terms. Read our Privacy Policy. Don’t share sensitive info. Chats may be reviewed and used to train our models. Learn about your choices.”

Using Instant ChatGPT Means Agreement For Data Use

Instant ChatGPT

Additional Safeguards

OpenAI also announced additional guardrails to keep the free version safer than the other versions. For example, OpenAI said that is is blocking output from a wider range of topics.

What’s Missing In The Free Account

OpenAI listed the benefits of creating a free or paid account which are not available in the instant chat version.

Unavailable features:

  • Cannot save or review chat history
  • Cannot share chats
  • No access to voice instructions
  • No access to custom instructions

Prelude To Competing Against Google?

The obvious question is if this is a step in the direction of creating an alternative to using a search engine, replacing Google’s business model with an entirely new way to find information.

Free instant chat fulfills Google’s mission statement to “organize the world’s information and make it universally accessible and useful” in a way that Google search does not. So it’s not an unreasonable question to ask.

Featured Image by Shutterstock/rafapress

Ecommerce MGMT 0 Comments
Apr 1 2024
Google: Overfocusing On Links Could Be A Waste Of Time via @sejournal, @martinibuster

Google’s John Mueller answered a question on Reddit about backlinks and suggested that overfocusing on links could be a waste of time, a statement that fits a pattern from Google over the past six months.

Backlink Checkers Prioritize Their Crawls Differently

The person asking the question wanted to know why backlink checkers show different backlinks and without consensus, particularly for this site which was “relatively new” but fully indexed.

Backlink checkers aren’t choosing a site and the backlinks. They crawl the web and create a map of the link relationships between sites. The tools also prioritize what they crawl because the web is huge, so not everything gets crawled, much less included in their index.

This is what was asked:

“I have a couple backlinks on google search console on the “external links” page and I know recently I have gotten a few more.

However, on Ahrefs it says I have none. Is there a reason? My website is relatively new but I feel like that should not matter because everything is indexed and working properly. Is there a reason?”

Counting Links Is Subjective

Mueller said that there’s no “objective” way to count links, which may be a reference to the fact that every tool has to make a choice of what they crawl and include in their index.

He answered:

“There’s no objective way to count links on the web, and every tool collects its own data from crawling, which every tool does differently, so there will always be differences.”

More Important Things For Websites

Mueller’s answer first addressed not focusing on link counts and that search engines are able to discover webpages in ways other than links.

He answered:

“My recommendation would be not to focus so much on the absolute count of links. There are many ways that search engines can discover websites, such as with sitemaps.”

In the last part of his answer begins talking about links and appears to downplay them.

Mueller commented:

“There are more important things for websites nowadays, and over-focusing on links will often result in you wasting your time doing things that don’t make your website better overall.”

It’s pretty clear that he’s not talking about backlink counts anymore. He’s talking about links.

Google Has Signaled That Links Are Less Important

Over the past six months Google has been saying and hinting that links are less important than they used to be. Google’s update coincided with four changes to their documentation that downplayed the role of links, including the removing the word “important” in a sentence about links as a ranking factor. Everything else in the sentence remained the same, they only removed the word “important” from the documentation.

Before:

“Google uses links as an important factor in determining the relevancy of web pages.”

After:

Google uses links as a factor in determining the relevancy of web pages.

Read about March 2024 changes to links: Google March 2024 Core Update: 4 Changes To Link Signal

The first express statement that a Googler made was at PubCon Austin last fall where Gary Illyes stated that links aren’t even in the top 3 of ranking factors.

John Mueller even gave a hint two years ago that the role of links was going to become less important.

He said:

“…it’s something where I imagine, over time, the weight on the links at some point will drop off a little bit as we can figure out a little bit better how the content fits in within the context of the whole web.”

Read the Reddit discussion:

Why are my backlinks not showing up?

Featured Image by Shutterstock/Asier Romero

Ecommerce MGMT 0 Comments
Mar 31 2024
27-Year Search Expert Shares 5 Steps To Boost Your SEO via @sejournal, @martinibuster

In a recent Yext Summit, 27-year search marketing expert Duane Forrester shared advice on how to become a better SEO and develop the skills to better anticipate where search marketing is headed.

Who Is Duane Forrester And Why His Advice Matters

Duane Forrester is one of the rare search marketers who has experience on both sides of the search box. He has 27 years of experience in the search industry with almost ten of those years spent as a Product Manager at Microsoft. He helped build and launch Bing Webmaster Tools, wrote the original Bing Webmaster Guidelines and worked with the Core Search and Spam Teams, as well as the teams who built and maintained Schema.org, Robotstxt.org and Sitemaps.org.

Five Steps To Become A Better SEO & Predict Future Trends

Duane said that in 2022 nobody was talking about AI. Now it’s been just over a year and it’s all that everyone is talking about. He said that’s an example of how SEO is one of the fastest changing industries and said that this has always been the normal pace.

What’s going on in AI is just another change in a history of changes, not all of it visible to the search community.  Machine learning, neural networks, and AI have been a part of Search behind the scenes for many years, largely unseen and not always well understood, which underlines the importance of learning.

Duane said:

“…this industry requires a dedication to continual learning. All the time, there’s always something new. …Big steps, small steps, but it is constant.”

He suggested the following activities for attaining a strong SEO footing and maintaining it.

  1. Research 60 minutes per day
  2. Follow known experts
  3. Use official sources for SEO guidance
  4. The value of developer resources
  5. Anticipate consumer trends

1. Research 60 Minutes Per Day

Duane recommended setting aside time for research.

He explained:

“…dedicate at least 60 minutes a day, an hour, to reading new sources and the official blogs, heck even the unofficial blogs, get in and read those things.”

For some it might sound like a lot of time to dedicate to researching something that they already know, SEO. But Duane is right and I’ll tell you why.

In 2005 I was caught by surprise when a Google engineer revealed that Google was using statistical analysis to identify unnatural links. It was a mind blowing moment that made it clear I had to start reading research papers to stay on top of the search engines were doing.

I contacted Duane about it and he said that now more than ever it’s important to research everything because SEO is changing so fast that at some point it might be inadequate to call it SEO anymore.

This is what he told me:

“Man, if things keep going the way they are, we will ALL need to learn a new profession. It simply won’t be called SEO if it’s on the front edge of what’s coming.

Bottom line, if you’re not investing in the work now, there is not going to be a tomorrow. Sorry, this train is stopping. A new train will be departing the station shortly – I suggest you get on it.”

2. Follow Known Experts

Duane asserts that it’s important to keep an open mind and absorb what others have to say. It’s consider that this is a person with 27 years experience who is saying how important it is for him to read what others are saying. So if it’s important for him it should be important for everyone else.

Duane recommends:

“Follow known experts on Twitter and LinkedIn threads, Bluesky, TikTok, wherever they have an account, go find it. If it’s on medium, sign up. If it’s on Substack sign up.

Make sure you’re getting direct access. You don’t want to rely on what someone said they read. Go read these things yourself. It makes a big difference in your understanding. Listen to the podcasts, watch the webinars, follow their YouTube channels and acknowledge you will be drinking from a fire hose.”

3. Use Official Sources For SEO Guidance

Duane emphasized the importance of getting as much information direct from the search engines. For the normal sources of official information (Search Central, Developer blog, Webmaster Tools) he said to keep those bookmarked and ready to be checked every day. But he also advised to expand your sources of information to sources most people don’t go to.

This is what he said about alternative sources:

“So for SEOs, you wanna be looking for Microsoft, Google, DuckDuckGo, Yahoo, Baidu, and Naver. And before you say, but why Yahoo? It’s because they’re doing a lot over the last year with search and they are poised to do even more in the next 18 months. So pay attention to what they’re doing. They’re not investing in this because they don’t think there’s a reason to do so. They very much believe there is room for them in this market, and I bet consumers will agree with them.”

4. The Value Of Developer Resources

This part of his keynote is interesting because it’s about looking at where the industry is going to be 18 months in the future. Part of engaging with developer resources is understanding the technology but he also sees it as an opportunity to get ahead of everyone else by seeing where the consumers are going (because the money will follow them).

Duane recommended developer-focused resources at Meta, Amazon, Apple, TikTok, OpenAI because those are the companies that are developing the customer experiences that impact consumer behavior. He has a point. Shein revolutionized how clothing is marketed by sidestepping search altogether by targeting consumers on social media in ways that appealed to them.

Duane said:

“I also urge you take a look at what’s going on for developers, and there’s a very important reason for this. META, Amazon, Apple, TikTok, OpenAI, they all have dedicated locations for developers to come in and engage with our latest products and services…

The reason it’s important to pay attention to this is because these are the companies that are developing the customer experiences and understand how those customer experiences impact customer action and behavior. These are the official sources where those experiences are rolled out, talked about, and developers can engage with them.”

5. Anticipate Consumer Trends

One of the things that I found interesting was how he kept returning to how technology affects the customer experience and their behavior. When he talks about Apple or Meta it’s in the context of how they’re influencing customer behavior he also ties that to how money follows the consumers.

For example, in our conversation he mentioned the prospect of an ad-free AI search and said that we have to think about where that advertising money is going to go.

“This is leaning towards “staying on top of your game” and we have to talk about how “search” is being expanded across new platforms (ChatGPT, Perplexity, etc.).

So knowing how they’re thinking about business models and such becomes a very important part of the game. If ChatGPT launches an ad-free search experience, and their current consumers adopt it (100 million active monthly users), how does this affect current search models built on top of advertising? How does this affect how teams are tasked with work inside of brands, which skills are in demand, where does ad money move to?”

Do you see what he’s doing there? He’s looking at technological trends today and then thinking where it is headed and how that affects which jobs will be in demand and where advertising and consumer spending is headed.

I’ve known Duane for almost twenty years and he’s always doing that kind of thing where he puts context on what’s happening now and what it means for the future. Those questions he asks show how to anticipate where the industry is headed .

His Yext keynote ended with a hockey analogy:

“You do not want to skate to where the puck is. You want to skate to where the puck is going to be. The greatest hockey players who have ever played the sport knew that and acted on it every time they took to the ice.

Skating to where the puck is is a sure way to miss the point and fall behind. Skating to where it will be is how you stay in front and on top of things. And you can get there by being curious, learning continuously and building a robust network.”

Watch Duane Forresters’s keynote:

How to Keep Up with SEO Best Practices

Featured Image by Shutterstock/Artem Samokhvalov

Ecommerce MGMT 0 Comments
Mar 30 2024
Data Confirms A Surge In WordPress Vulnerabilities via @sejournal, @martinibuster

WordPress security researchers at Patchstack published their annual State of WordPress Security whitepaper that showed an increase of high and critical severity vulnerabilities, highlighting the importance of security for all websites on the WordPress platform.

XSS Is Top WordPress Vulnerability Of 2023

There are many kinds of vulnerabilities but the most common by far was cross site scripting (XSS) vulnerabilities, accounting for 53.3% of all new WordPress security vulnerabilities.

XSS vulnerabilities generally occur due to insufficient “sanitization” of user inputs, which includes blocking any inputs that do not conform to what is expected. Patchstack shared that the Freemius framework, a third-party managed eCommerce platform, accounted for over 1,200 of all XSS vulnerabilities, representing 21% of all new XSS vulnerabilities discovered in 2023.

The Freemius Software Development Kit (SDK) is used as a component of over 1,200 plugins which in turn is installed in over 7 million WordPress sites. This highlights the problem of supply chain vulnerabilities where a component is used as a part of a WordPress plugin which subsequently increases the scope of a vulnerability beyond just one plugin.

Patchstack’s report explained:

“This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.

21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw. It’s vital for developers to choose their stack carefully and promptly apply security updates when these become available.”

More Vulnerabilities Rated High Or Critical

Vulnerabilities are assigned a severity score that corresponds to how disruptive a discovered flaw is. The ratings range from low, medium, high and critical.

In 2022 13% of new vulnerabilities were classified as high or critical. That percentage skyrocketed in 2023 to 42.9%, meaning that there were more destructive vulnerabilities in 2023 that in the previous year.

Authenticated Versus Unauthenticated Vulnerabilities

Another metric that pops out in the report is the percentage of vulnerabilities that require no authentication (unauthenticated), meaning the attacker does not need any user permission level in order to launch an attack.

Flaws that require an attacker to have a subscriber level to admin level permissions have a higher bar for attackers to overcome. Unauthenticated vulnerabilities do not require that the attacker first obtain a permission level, which makes those kinds of vulnerabilities more concerning because they can be exploited through automatic attacks like with bots that probe a site for the vulnerability then automatically launch attacks.

Patchstack found that 58.9% of all new vulnerabilities required no authentication at all.

Abandoned Plugins Spike As a Risk Factor

Another significant cause for vulnerabilities is the large amount of abandoned plugins. In 2022 Patchstack reported 147 abandoned plugins and themes to WordPress.org and out of those 87 were removed and the remainder were patched.

In 2023 the number of abandoned plugins exploded from 147 in 2022 to 827 plugins and themes in 2023. Whereas 87 vulnerable abandoned plugins were removed in 2022, 481 were removed in 2023.

Patchstack noted:

“We reported 404 of those plugins in a single day to draw attention to the “zombie plugin pandemic” in WordPress. Such “zombie” plugins are components that seem safe and up-to-date at first glance, but may contain unpatched security issues. Furthermore, such plugins remain active on user sites even if they are removed from the WordPress plugins repository.”

Most Popular Plugins With Vulnerabilities

As mentioned earlier, severity ratings range from low, medium, high and critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.

In 2022 there were 11 popular plugins with over a million active installations that contained vulnerabilities. In 2023 Patchstack lowered the bar on installations from a million to over 100,000 installations. Yet despite making it easier to get on the list, there were only 9 popular plugins that were found to have a vulnerability, far less than in 2022.

In 2022 only five out of 11 of the most popular plugins with vulnerabilities contained a high severity vulnerability, none contained a critical level vulnerability and the rest were medium level severity.

Those numbers became significantly worse in 2023. Despite lowering the threshold of what’s considered a popular plugin, all nine plugins on the list contained critical level vulnerabilities, all of them. The overwhelming majority of the plugins on that list, six out of nine, contained unauthenticated vulnerabilities, meaning in that exploiting them is easy to scale with automation. The remaining three that required authentication only required a subscriber level access, which is the easiest permission level to acquire, just sign up, verify the email and they’re in. That too can be scaled with automation.

List Of Most Popular Plugins With Vulnerabilities

  1. Essential Addons for Elementor  1M+ installations (severity rating 9.8)
  2. WP Fastest Cache 1M+ installations (severity rating 9.3)
  3. Gravity Forms 940k installations (severity rating 8.3)
  4. Fusion Builder 900k  installations (severity rating 8.5)
  5. Flatsome (Theme) 618k installations (severity rating 8.3)
  6. WP Statistics 600k installations (severity rating 9.9)
  7. Forminator 400k installations (severity rating 9.8)
  8. WPvivid Backup and Migration 30ok installations (severity rating 8.8)
  9. JetElements For Elementor 30ok installations  (severity rating 8.2)

State Of WordPress Security Is Worse

If you feel like there are more vulnerabilities lately than ever before, now you know the reason, the statistics speak for themselves. There are more vulnerabilities in 2023 and a greater percentage are at high and critical levels which can be exploited with automation at scale.

This means that all publishers need to improve their security and make sure that someone is taking responsibility for auditing their plugins and themes on a regular basis to make sure they are all updated and actively maintained.

SEOs should take notice because security quickly becomes a ranking problem when Google drops a hacked site from the search results. Many SEOs who perform site audits don’t do even the most basic security checks like verifying if the security headers are in place, which is something that I do as a part of every audit I perform. Always make sure to have a discussion with clients about their security to make sure they are aware of the risks.

Patchstack is an example of a service that automatically protects WordPress sites against vulnerabilities even before the plugin issues a patch to fix the vulnerability. Those kinds of services are important in order to create a defense against getting hacked and losing search visibility and earnings.

Read the Patchstack report:

State of WordPress Security In 2023

Featured Image by Shutterstock/Iurii Stepanov

Ecommerce MGMT 0 Comments
Mar 29 2024
15 Vulnerabilities In 11 Elementor Addons Hit +3M WordPress Sites via @sejournal, @martinibuster

Researchers have issued advisories for eleven separate Elementor add-on plugins with 15 vulnerabilities that can make it possible for hackers to upload malicious files. One of them is rated as a high threat vulnerability because it can allow hackers to bypass access controls, execute scripts and obtain sensitive data.

Two Different Kinds Of Vulnerabilities

The majority of the vulnerabilities are Stored Cross Site Scripting (XSS). Three of them are Local File Inclusion.

XSS vulnerabilities are among the most common form of vulnerability found in WordPress plugins and themes. They generally arise from flaws in how input data is secured (input sanitization) and also how output data is locked down (output escaping).

A Local File Inclusion vulnerability is one that exploits an unsecured user input area that allows an attacker to “include” a file into the input. Include is a coding term. In plain English a file inclusion is a scripting thing (a statement) that tells the website to add a specific code from file, like a PHP file. I have used includes in PHP to bring in data from one file (like the title of a webpage) and stick it into the meta description, that’s an example of an include.

This kind of vulnerability can be a serious threat because it allows an attacker to “include” a wide range of code which in turn can lead to the ability to bypass any restrictions on actions that can be carried out on the website and/or allow access to sensitive data that is normally restricted.

The Open Web Application Security Project (OWASP) defines a Local File Inclusion vulnerability:

“The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

Code execution on the web server

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

Denial of Service (DoS)

Sensitive Information Disclosure”

List Of Vulnerable Elementor Add-On Plugins

There are eleven total Elementor add-on plugins that have vulnerability advisories, two of which were issued today (March 29th), two of which were issued on March 28th. The remaining seven were issued within the past few days.

Some of the plugins have more than one vulnerability so that there are a total of 15 vulnerabilities in eleven of the plugins.

Out of the eleven plugins one is rated as a High Severity vulnerability and the rest are Medium Severity.

Here is the list of plugins listed in descending order of the most recent to the earliest. The numbers next to the vulnerabilities denote if they have more than one vulnerability.

List of Vulnerable Elementor Add-Ons

  1. ElementsKit Elementor addons (x2)
  2. Unlimited Elements For Elementor
  3. 140+ Widgets | Best Addons For Elementor
  4. Better Elementor Addons
  5. Elementor Addon Elements (x2)
  6. Master Addons for Elementor
  7. The Plus Addons for Elementor (x2)
  8. Essential Addons for Elementor (x2)
  9. Element Pack Elementor Addons
  10. Prime Slider – Addons For Elementor
  11. Move Addons for Elementor

High Severity Vulnerability

The High Severity vulnerability is found in the ElementsKit Elementor Addons plugin for WordPress is especially concerning because it can put over a million websites in danger. This vulnerability is rated 8.8 on a scale of 1- 10.

What accounts for its popularity is the all-in-one nature of the plugin that allows users to easily modify virtually any on-page design feature in the headers, footers, and menus. It also includes a vast template library and 85 widgets that add extra functionality to webpages created with the Elementor website building platform.

The Wordfence security researchers described the vulnerability threat:

“The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.”

Millions of WordPress Sites Affected

The vulnerabilities may affect over 3 million websites. Just two of the plugins have a total of three million active installations. Websites tend to use just one of these plugins because there is a certain amount of overlap between the features. The all-in-one nature of some of these plugins means that only one plugin is needed in order to access important widgets for adding sliders, menus and other on-page elements.

List of Vulnerable Plugins By Number Of Installations

  1. Essential Addons for Elementor – 2 Million
  2. ElementsKit Elementor addons – 1 Million
  3. Unlimited Elements For Elementor – 200k
  4. Elementor Addon Elements – 100k
  5. The Plus Addons for Elementor – 100k
  6. Element Pack Elementor Addons – 100k
  7. Prime Slider – Addons For Elementor – 100k
  8. Master Addons for Elementor – 40k
  9. 140+ Widgets | Best Addons For Elementor – 10k
  10. Move Addons for Elementor – 3k
  11. Better Elementor Addons – Unknown – Closed By WordPress

Recommended Action

Although many of the medium level severity vulnerabilities require hackers to obtain contributor level authentication in order to launch an attack, it’s best not to underestimate the risk posed by other plugins or installed themes that might grant the attacker the ability to launch these specific attacks.

It’s generally prudent to test updated themes before pushing updates to a live site.

Read the official Wordfence advisories (with CVE numbers):

A. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-1238

B. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Local File Inclusion in render_raw CVE-2024-2047 8.8 HIGH THREAT

03/29 Unlimited Elements For Elementor <= 1.5.96 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link CVE-2024-0367

3/28 140+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2250

3/28 Better Elementor Addons <= 1.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via widget links CVE-2024-2280

A. Elementor Addon Elements <= 1.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2091

B. Elementor Addon Elements <= 1.13.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget CVE-2024-2792

Master Addons for Elementor <= 2.0.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget CVE-2024-2139

A. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Team Member Listing CVE-2024-2210

B. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Clients Widget CVE-2024-2203

A. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting ( via the countdown widget’s message parameter) CVE-2024-2623

B. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting (via the alignment parameter in the Woo Product Carousel widget) CVE-2024-2650

Element Pack Elementor Addons <= 5.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via link CVE-2024-30185

Prime Slider – Addons For Elementor <= 3.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via title CVE-2024-30186

Move Addons for Elementor <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2131

Featured Image by Shutterstock/Andrey Myagkov

Ecommerce MGMT 0 Comments
Mar 29 2024
Google Explains How CWV Is A Ranking Factor But Doesn’t Improve Rankings via @sejournal, @martinibuster

Google’s Search Off the Record podcast covered the topic of Core Web Vitals (CWV), noting that while it’s a ranking factor it’s not so important that improving it will improve search visibility. The podcast explains how to reconcile how CWV can be a ranking factor while at the same not something that will noticeably help rankings.

Actual User Experience Of Website Is More Important Than CWV

Rick Viscomi (engineer and Web Performance Lead at Google) and Lizzi Sassman (Senior Technical Writer at Google) downplayed getting poor Core Web Vitals scores, emphasizing what really matters is how the actual users are experiencing the website.

Lizzi Sassman said that she tested the Core Web Vitals scores for Google’s Page Experience documentation and got different scores. She shared that Google’s own documentation on Page Experience only scored 45 (on a scale of 1 – 100).

Rick Viscomi answered that actual user experience of browsing the website matters more than the scores.

He explained:

“… I think this is such a common cause of confusion because developers see one single number and it’s red.

It’s scary. Do I need to panic?

I get this question all the time and I say ‘What really matters is what your real users are experiencing.’”

Most in the search community have gotten the memo about not worrying about CWV scores. They’re great for benchmarking performance in terms of optimizing for sales, ad clicks and conversions, which is where a good user experience literally pays off.

CWV Improvements Not Visible In Search

This next part sounds contradictory but it makes more sense when it’s read in context. John Mueller asserts that CWV is used in the ranking systems. But in the next breath he says that incremental improvements CWV scores will not be noticeable in search results.

The context is that Mueller’s team spoke to the search team and discovered that CWV is used in the “ranking systems or in search systems” and that’s why it’s reflected in Google’s documentation.

“…we do say we do use this in our ranking systems or in Search systems.”

Then Mueller added that achieving perfect CWV scores won’t make a difference in the search results. He explained that what’s missing in that statement is that CWV as a ranking factor is one part of a bigger ranking engine and how it’s applied is not something that Google talks about.

He explained:

“I think a big issue is also that site owners sometimes over-fixate on the metrics themselves… And then they spend months of time kind of working on this. And they see this as they’re doing something for their Search rankings. And probably a lot of those incremental changes are not really visible in Search.”

And this is the part where says that the details of how CWV is used as a ranking factor is the part that’s withheld from SEOs and publishers.

“The details we tend not to go into. We don’t go into thresholds or anything like that. Similar to how we don’t talk about how many words on a page you have to have or all of those details, which, from my point of view, are almost secondary.”

So the takeaway is not that CWV is a ranking factor. The takeaway is that it’s good to improve CWV but a perfect CWV won’t be rewarded with better rankings.

Conceptualizing Core Web Vitals

This next part is interesting because they again emphasize the importance of speed in the wider and more general sense (the forest) and then zoom in to the more narrow sense of ranking where they talk about factors that actually make a difference.

  • Performance is good in the general sense.
  • Other factors are good in the more narrow sense of ranking.

Rick Viscomi explains how web performance is important in the broader overall sense:

“It’s really good for everybody and the rising tide lifts all boats. Check your website. Make it faster. Eat your vegetables.”

Then Lizzi Harvey advises that a better use of time is to focus on content quality, which is the narrow focus on improving rankings.

She commented:

“Yeah focusing on that and then still having like a terrible article like the words on the page are not good or the design is not good and you made it really fast. Okay. Is that really going to make an improvement for your users or for search?”

Two Ways Of Looking At Core Web Vitals

I don’t think that Search Off the Record had planned to talk about CWV as a broader general concern and content as a more specific ranking-focused factor. But that’s how the podcast naturally turned out and it makes sense to conceptualize Core Web Vitals as a general big picture factor because it helps reconcile how something can be a ranking factor that on its own doesn’t really make a difference in the search results.

Listen to the podcast from the 19 minute mark:

Featured Image by Shutterstock/Asier Romero

Ecommerce MGMT 0 Comments
Mar 28 2024
Google: Incremental Improvements May Not Impact Rankings via @sejournal, @MattGSouthern

In a recent episode of Google’s Search Off the Record podcast, John Mueller, a Search Advocate at Google, cautioned site owners against overly fixating on incremental improvements to their Core Web Vitals scores.

Mueller suggested that these minor optimizations may yield few visible search ranking changes.

Core Web Vitals, a set of user-centric metrics measuring website performance, have been a focal point for many since Google announced they’re used in ranking systems.

The metrics, which include Largest Contentful Paint (LCP), Cumulative Layout Shift (CLS), and the recently introduced Interaction to Next Paint (INP), have driven site owners to optimize their pages for better scores.

However, Mueller’s comments highlight the potential pitfalls of over-optimizing for these metrics:

“I think a big issue is also that site owners sometimes over-fixate on the metrics themselves. They see some number, and it’s like, ‘Oh my gosh, I have to get this to like some other number, some higher state.’ And then they spend months of time working on this. And they see this as they’re doing something for their Search rankings. And probably a lot of those incremental changes are not really visible in Search.”

Mueller acknowledged the temptation to focus on metrics, given the scarcity of concrete SEO measurements:

“There are very few metrics with regards to SEO that you can look at explicitly and say, ‘Oh, it’s like 17, and I can make it 15. So it’s, I don’t know, like human nature to almost focus on them. But, at the same time, you have to be careful that you don’t over-fixate on them and spend an inappropriate amount of time.”

While Mueller didn’t entirely dismiss the importance of Core Web Vitals, his comments suggest being strategic in your optimization efforts, focusing on meaningful improvements rather than chasing incremental gains.

You can hear the full discussion in the episode linked below, starting at the 24:04 mark:

Why SEJ Cares

Mueller’s comments provide insight into Google’s perspective on Core Web Vitals and SEO.

While these metrics are important, it’s crucial to maintain sight of the bigger picture. Overinvesting time and resources into chasing minor improvements may not yield the desired results in search rankings.

How This Could Help You

Here are a few key takeaways from Mueller’s advice:

  1. Prioritize impactful optimizations over incremental gains
  2. Use tools to identify areas for improvement, but don’t get caught up in chasing perfect scores
  3. Balance Core Web Vitals with other crucial SEO elements, such as content quality, relevance, and user engagement
  4. Remember that not all optimizations will directly influence search rankings, but they can still contribute to a better user experience.

By considering these points, you can develop a well-rounded strategy that balances Core Web Vitals with other factors, driving better results for your website.

Ecommerce MGMT 0 Comments
Mar 28 2024
Google Updates Definition Of ‘Top Ads’ In Search Results via @sejournal, @MattGSouthern

Google has changed how it defines top ads in search results.

In a public service announcement on X (formerly Twitter), Ginny Marvin, the Google Ads Liaison, stated:

“To better reflect how ads can appear in Google Search today, we’ve updated the definition of top ads.”

This update is a definitional change and does not affect how performance metrics are calculated.

The updated definition, reflected in a Google Help Center page, now reads:

“Top ads are adjacent to the top organic search results. Top ads are generally above the top organic results, although they may show below the top organic results on certain queries. Placement of top ads is dynamic and may change based on the user’s search.”

Understanding Top & Absolute Top Metrics

Google’s support page provides further insight into top and absolute top metrics, which are a set of prominence metrics that give advertisers a sense of their ads’ placement on the page.

The two key metrics are:

  • Search top impression rate – “Impr. (Top) %”
  • Search absolute top impression rate “Impr. (Abs. Top) %”

Search top impression share (Search top IS) and Search absolute top impression share (Search abs. top IS) help advertisers understand the opportunity for their ads to improve triggering among top ads or in the first position among top ads.

Unlike average position, these metrics don’t reflect the order of ads compared to other ads but the actual placement of ads on the SERPs.

Why SEJ Cares

This update is essential for advertisers and marketers who rely on Google Ads to reach their target audience.

Understanding the placement of ads on the search results page can help advertisers optimize their campaigns and improve their click-through rates (CTR).

By knowing the difference between top and absolute top metrics, advertisers can make informed decisions about their bidding strategies and ad placement goals.

How This Could Help You

As an advertiser, you can use these metrics to set your bids to increase the percentage of your ads that either show anywhere among top ads or at the first position among top ads.

By monitoring your Search top impression share and Search absolute top impression share, you can identify opportunities to improve your ad placement and drive more traffic to your website.

Additionally, understanding the metrics related to lost impression share due to budget or Ad Rank can help you identify areas for improvement in your campaign management.

Optimizing your budget and Ad Rank can increase your chances of appearing among the top ads and improve your overall campaign performance.

In Summary

Google’s definition of top ads now includes the possibility of ads appearing below the top organic results for specific queries.

Top and absolute top metrics provide insight into ad placement on the search results page, helping advertisers monitor performance.

Advertisers can use these metrics to set bid targets, identify budget limitations, improve Ad Rank, and conduct competitive analysis to refine their advertising strategies.

Featured Image: Alex Photo Stock/Shutterstock

Ecommerce MGMT 0 Comments