Bugs in Two Related WordPress Plugins Together Risked Over 1 Million Websites

WordPress websites suffered another threat from vulnerable plugins. This time, security bugs in two related WordPress plugins posed a threat to over a million websites. Researchers noticed the active exploitation of the bugs.

Bugs In Two WordPress Plugins

Researchers from Wordfence have caught security bugs in two separate but related WordPress plugins. As observed, exploiting the bugs in both plugins together could lead to a huge cyber attack.

Stating the details in a blog post, the researchers highlighted that a critical severity bug existed in the Elementor Pro plugin. Exploiting the bug allowed remote code execution attacks as any registered user could upload arbitrary files. As explained by the researchers,

An attacker able to remotely execute code on your site can install a backdoor or webshell to maintain access, gain full administrative access to WordPress, or even delete your site entirely.

It was a zero-day vulnerability as it caught the attention of hackers before the developers.

While the hackers could exploit this bug directly on sites “with open user registration”, they also had an option to exploit this bug even for websites with this option disabled.

In the latter case, they could exploit a registration bypass vulnerability in another plugin Ultimate Addons for Elementor.

Patches Rolled Out

Wordfence has confirmed the active exploitation of the bugs. They even checked some compromised websites to confirm the threat. As stated in their post,

As this is an active attack, we wanted to alert you so that you can take steps to protect your site. We are intentionally limiting the amount of information this post provides, because this is an ongoing attack.

Although, the developers behind both plugins have patched the flaws. Hence, the users should ensure updating their websites to Elementor Pro version 2.9.4, and Ultimate Addons for Elementor version 1.24.2 or higher.

Moreover, the researchers have also recommended the following to make sure that the website remains uncompromised.

-Check for any unknown subscriber-level users on your site.
– Check for files named “wp-xmlrpc.php.”
– Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients