A critical vulnerability in a popular WordPress plugin has exposed millions of websites to hacking.
The vulnerability was found in Elementor, a WordPress plugin that allows users to build websites with more than 5 million active installations. The vulnerability was found in version 3.6.0 of the plugin, introduced on March 22.
The vulnerability is caused by an absence of a critical access check in one of the plugin’s files, which is loaded on every request, even if users are not logged in. Because the check does not occur, access to the file and hence the plugin is open to all.
Exploiting the vulnerability opens the door for anyone to make changes to the site, including uploading arbitrary files. As a result, hackers could exploit the vulnerability for remote code execution and takeover of a site running the plugin. Based on just what we saw in our very limited checking, we would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers noted.
The vulnerability has since been addressed in the latest update to Elementor version 3.6.3. Naturally, anyone running a WordPress install with Elementor 3.6.0 to 3.6.2 is encouraged to update to the latest version to address the critical vulnerability.
Traditional application security tools like Web Application Firewalls have difficulty in dealing with RCE attacks because they rely on understanding a past RCE attack or signature in order to detect a new zero-day or undiscovered attack.
Oganizations using WordPress should make sure they use security in-depth, including application, network and system-level security. The simplest thing any organization can do to help reduce vulnerabilities is to keep their code WordPress, plugins, SQL server-MySQL/MariaDB, web server-NGINX/Apache up to date and patched.