WordPress websites suffered another threat from vulnerable plugins. This time, security bugs in two related WordPress plugins posed a threat to over a million websites. Researchers noticed the active exploitation of the bugs.
Bugs In Two WordPress Plugins
Researchers from Wordfence have caught security bugs in two separate but related WordPress plugins. As observed, exploiting the bugs in both plugins together could lead to a huge cyber attack.
Stating the details in a blog post, the researchers highlighted that a critical severity bug existed in the Elementor Pro plugin. Exploiting the bug allowed remote code execution attacks as any registered user could upload arbitrary files. As explained by the researchers,
It was a zero-day vulnerability as it caught the attention of hackers before the developers.
While the hackers could exploit this bug directly on sites “with open user registration”, they also had an option to exploit this bug even for websites with this option disabled.
In the latter case, they could exploit a registration bypass vulnerability in another plugin Ultimate Addons for Elementor.
Patches Rolled Out
Wordfence has confirmed the active exploitation of the bugs. They even checked some compromised websites to confirm the threat. As stated in their post,
Although, the developers behind both plugins have patched the flaws. Hence, the users should ensure updating their websites to Elementor Pro version 2.9.4, and Ultimate Addons for Elementor version 1.24.2 or higher.
Moreover, the researchers have also recommended the following to make sure that the website remains uncompromised.