A zero-day vulnerability was recently discovered in a very popular WordPress website builder add-on, potentially putting around 200,000 people who use it at risk.
Cybersecurity researchers from Wordfence and WPScan (both WordPress security companies) discovered the vulnerability in Royal Elementor Addons and Templates, a website building add-on kit built by WP Royal.
The vulnerability is tracked as CVE-2023-5360 and has a severity score of 9.8 (critical). By exploiting the flaw, threat actors can upload files to the WP platform and even bypass various controls that the add-on has, such as allowed file types. This could eventually allow them to completely take over the vulnerable website (for example, if they upload a file that allows code to be executed remotely).
Abused in the wild
The flaw has already been discovered by threat actors and used in attacks, the researchers added, with attacks beginning in late August 2023, with volume increasing significantly on October 3.
Wordfence reported that it identified and blocked more than 46,000 attacks, while WPScan saw 889 instances where threat actors dropped ten different payloads. While this may sound like an attack, most attacks come from just two IP addresses, which could indicate that the flaw is known to only a small number of hackers.
The researchers contacted WP Royal on October 3 and a patch was released within three days. To secure their websites, administrators are advised to update the Royal Elementor Addons and Templates add-on to version 1.3.79. There are both commercial and free scanning solutions that can help administrators determine whether their website is susceptible or not, BleepingComputer finds. It’s also worth mentioning that uploading to the latest version will not automatically remove the infections; administrators will have to do this manually.
Through BleepingComputer