Another Major WordPress Security Flaw Has Been Discovered

Another major WordPress security flaw has been discovered and users have been urged to patch now. The reports coming now from various sources claim that a significant security flaw has been found in a very popular WordPress add-on.

Another Major WordPress Security Flaw Discovered

Another Major WordPress Security Flaw Discovered

A zero-day vulnerability was just discovered recently in a highly popular add-on for the WordPress website builder, and in the process potentially putting some 200,000 people who are making use of it at risk.

Cybersecurity researchers from Wordfence and WPScan (both of which are WordPress security firms) spotted the vulnerability in question in Royal Elementor Addons and Templates. And for those that don’t know, this is a website-building add-on kit that is built by WP Royal.

The vulnerability in question is currently tracked as CVE-2023-5360 and has a severity score of 9.8 (very critical). By reportedly abusing the said flaw, threat actors can simply and effectively upload files onto the WP platform and even bypass several checks the add-on has, such as permitted file types. That, down the road, could allow them to take over the vulnerable website completely (if, for instance, they get to upload a file that lets for remote code execution).

How the Vulnerability Operates

The said flaw as you should know has already been spotted by threat actors, and utilized in attacks, the researchers reportedly added, with attacks kicking off in late August 2023, with the volume increasing significantly on October 3.

Wordfence on its end reported identifying and then blocking over 46,000 attacks, while WPScan on the other hand has seen 889 examples of threat actors reportedly dropping ten different payloads. And while this might sound just like an onslaught, many attacks are coming from just two IP addresses, which could eventually suggest that the flaw in question is only known to a small number of hackers.

The Researchers Reached Out To WP Royal on October 3

The researchers reportedly reached out to WP Royal on the 3rd of October, and a patch was reportedly released within three days after being reached out to. And in order to secure their websites, admins are now advised to update the Royal Elementor Addons and Templates add-on to version 1.3.79.

There are also both commercial and free scanning solutions that can help affected admins to determine if their website is susceptible to the vulnerability or not, BleepingComputer finds. It is also worth stating that uploading to the newest version will not remove the infections automatically as admins will need to do so manually.



Please enter your comment!
Please enter your name here