A critical vulnerability in a highly popular WordPress plugin has exposed millions of sites to hacking.
Discovered by researchers at Plugin Vulnerabilities, the vulnerability was found in Elementor, a WordPress plugin that allows users to build websites with over five million active installs. The vulnerability was found in version 3.6.0 of the plugin, introduced on March 22, with around one-third of the sites with Elemantor running the vulnerable version when the vulnerability was found.
The vulnerability is caused by an absence of a critical access check in one of the plugin’s files which is loaded on every request, even if users are not logged in. As the check does not occur, access to the file and hence the plugin is open to all and sundry, including bad actors.
Exploiting the vulnerability opens the door for anyone to make changes to the site, including uploading arbitrary files. As such, hackers could exploit the vulnerability for remote code execution and takeover of a site running the plugin.
“Based on just what we saw in our very limited checking, we would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers note.
The vulnerability has since been addressed in the latest update to Elementor – version 3.6.3. Naturally, anyone running a WordPress install with Elementor 3.6.0 to 3.6.2 is encouraged to update to the latest version to address the critical vulnerability.
“WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of e-commerce sites, so why aren’t they better equipped to protect against attack?,” Pravin Madhani, chief executive officer and co-founder of application security platform provider K2 Cyber Security Inc., told SiliconANGLE. “In particular, RCE is one of the most dangerous flaws because it gives the attacker the ability to run almost any code on the hacked site.”
Madhani explained that traditional application security tools like Web Application Firewalls have dificulty in dealing with RCE attacks as they rely on understanding a past RCE attack or signature in order to detect a new zero-day attack.
“For maximum protection, organizations using WordPress should make sure they use security in-depth, including application, network and system-level security,” Madhani added. “Finally, the simplest thing any organization can do to help reduce vulnerabilities is to keep their code (WordPress, plugins, SQL server-MySQL/MariaDB, web server-NGINX/Apache) up to date and patched.”