Critical Vulnerability in Popular WordPress Plugin Exposes Millions of Sites to Hacking
A critical vulnerability in a hugely popular WordPress plugin has exposed millions of websites to hacking.
Discovered by researchers at Plugin Vulnerabilities and detailed on April 12, the vulnerability was found in Elementor, a WordPress plugin that allows users to build websites with over 5 million active installs. The vulnerability was found in version 3.6.0 of the plugin, introduced on March 22, with around a third of sites using Elemantor to run the vulnerable version when the vulnerability was found.
The vulnerability is caused by the lack of critical access control in one of the plugin files, which is loaded on every request, even if users are not logged in. Since vetting does not occur, access to the file and therefore the plug-in is open to everyone, including bad actors.
Exploiting the vulnerability opens the door for anyone to make changes to the site, including uploading arbitrary files. As a result, hackers could exploit the vulnerability for remote code execution and takeover of a site running the plugin. “Based on what we saw during our very limited review, we recommend against using this plugin until it has undergone a thorough security review and any issues are resolved. ‘have not been resolved,’ the researchers noted.
The vulnerability has since been fixed in the latest Elementor version 3.6.3 update. Naturally, anyone running a WordPress installation with Elementor 3.6.0 to 3.6.2 is encouraged to update to the latest version to address the critical vulnerability.
“WordPress powers up to a third of all websites on the internet, including some of the busiest sites and a large percentage of e-commerce sites, so why aren’t they better equipped to protect against attacks? ” Pravin Madhani, co-founder and managing director of application security platform provider K2 Cyber Security Inc., told SiliconANGLE. “In particular, RCE is one of the most dangerous flaws because it gives the attacker the ability to execute almost any code on the hacked site.”
Madhani explained that traditional application security tools such as web application firewalls struggle to deal with RCE attacks because they rely on understanding a past RCE attack or signature in order to to detect a new zero-day or undiscovered attack.
“For maximum protection, organizations using WordPress should ensure that they employ in-depth security, including application, network, and system-level security,” Madhani added. “Finally, the simplest thing an organization can do to help reduce vulnerabilities is to keep their code – WordPress, plugins, SQL Server-MySQL/MariaDB, Web Server-NGINX/Apache – up-to-date and patched.”