Home News Critical bug in Elementor WordPress plugin threatens 500,000 sites

Critical bug in Elementor WordPress plugin threatens 500,000 sites

Elementor WordPress plugin

A critical vulnerability recently patched in the Elementor plugin for WordPress allowed authenticated users to upload arbitrary files to vulnerable sites, which could eventually lead to arbitrary code execution. Even worse, researchers believe that even unauthenticated users can exploit the vulnerability, although this exploitation scenario has not yet been officially confirmed.

Although authentication is required to exploit the vulnerability, the bug was still classified as critical, since anyone who accessed the vulnerable site, including ordinary subscribers, can use it. To fix the RCE issue that posed a threat to 500,000 websites, the developers of the Elementor Website Builder plugin have already released version 3.6.3.

A problem in the popular plugin was discovered by WordPress Plugin Vulnerabilities experts. According to them, the root of the bug lay in the absence of a critical access check to one of the plugin’s files, module.php, which is loaded on every request during admin_init actions, even for unregistered users. Since one of the functions run by admin_init allows you to upload files through a plugin form, an attacker can put a malicious file there for remote code execution.

According to the researchers, the problem appeared in the Elementor 3.6.0 code released on March 22. Official WordPress statistics say that approximately 30.7% of Elementor users have upgraded to version 3.6.x, which means that the maximum number of potentially vulnerable sites is approximately 1,500,000.

The plugin has been downloaded a little over a million times in recent days, and assuming all of those installations are using version 3.6.3, there are still about 500,000 sites still vulnerable. It is worth noting that the Plugin Vulnerabilities team included a PoC exploit for a fresh vulnerability in their report, which further increases the risk of hacking vulnerable sites.

I am Priyanka, currently dedicating myself entirely to writing for ournethelps.com. In my role as a writer, I am committed to producing content of exceptional quality and collaborate closely with the ONH Team to ensure the delivery of outstanding material. Outside of work, my hobbies include creating humorous videos for my Instagram, YouTube, and Facebook channels.
Exit mobile version