WordPress (WP) is one of the most popular content management systems (CMS) on the planet owing to its ease of use. In fact, HackRead.com, BBCAmerica, and CNN, etc. are powered by WordPress! Within the WP world, we have a whole range of themes and plugins that make it easy for developers to build sites.
One such plugin is Elementor Pro, a site builder that allows users to add modules and customize their site using a drag and drop builder. Serving as evidence of its popularity, it currently has over 1 million active installations.
However, recently, it has been found to be vulnerable to a bug that can be exploited remotely by attackers to upload arbitrary files resulting in the execution of unauthorized code which can be very harmful.
As an example, consider that backdoors and web shells can be installed in this way, both of which can allow an attacker to create a pathway for repeated remote access for themselves accessing critical portions of the site such as the file system. This, therefore, would allow them to delete the site’s data.
The only caveat though is that the attacker needs to be a registered user of the WordPress site in question for this exploit to work.
Nonetheless, if this prerequisite cannot be fulfilled due to some reason, there is another plugin called Ultimate Addons for Elementor which with a vulnerability in its versions 1.24.1 & below allows someone to attack the main Elementor Pro plugin without any admin sanctioned user registration.
To elaborate a bit, WordPress has different user roles, one of which includes a Subscriber. To register as a subscriber, in this case, requires no approval from the site’s admin allowing the attacker to do so themselves and hence exploit the vulnerabilities present.
As with everything, rest assured that these come with a fix too. According to one of the top security plugin companies in the WP industry, WordFence, they have released guidelines stating that an update to the latest version of Elementor Pro will help secure your site as Elementor Pro released a patch yesterday on May 7.
A tweet sent out by Wordfence addressing the issue:
An update: @elemntor has released Pro version 2.9.4, and our threat intelligence team has verified it fixes the authenticated file upload vulnerability. Please ensure you update your Elementor Pro plugins to 2.9.4. Kudos to Elementor for the fast fix. https://t.co/Ahcn3AtUK1
— Wordfence (@wordfence) May 7, 2020
Other precautionary measures recommended by the firm include the following:
- Actively removing any subscriber-level users that may have registered on your site without your permission as this may be an indicator of compromise(IOC).
- Look out for a file named “wp-xmlrpc.php” as this too is potentially an IOC and should be deleted.
- Check the /wp-content/uploads/elementor/custom-icons/directory folder in your file manager to ensure that no unauthorized or unknown files are found here which the attacker may have uploaded to conduct their attack.
Hence, to conclude, it is also important that you install a security plugin on your site, WordFence or Sucuri both work which can actively scan your site for any malware threat while at the same time hardening your site by implementing measures such as restricting the direct upload of any PHP based files.
Moreover, you should also be making regular backups of your site, either manually or through a plugin to ensure that restoration of your site is always possible in case you find your data deleted.