A security flaw in a popular plugin made it possible for malicious actors to compromise more than a million WordPress websites, experts have reported.
According to the Wordfence Threat Intelligence team, a vulnerability in the Starter Templates - Elementor, Gutenberg & Beaver Builder Templates plugin, allowed contributor-level users to completely overwrite any page on the site, and embed malicious JavaScript at will.
Site takeover a possibility
The elementor_batch_process function associated with this action does perform a nonce check, the researchers further explain, but this was a weak gateway, as the required ajax_nonce was also available to contributors in the page source of the WordPress dashboard.
In theory, a malicious actor could create and host a block with malicious JavaScript on a server, and then use it to overwrite any post or page, by sending an AJAX request with the action set to astra-page-elementor-batch-process, and the URL parameter set towards the remotely hosted malicious block.
Consequently, the malicious JavaScript could get executed in the visitor’s browser.
There are numerous use cases for the flaw, Wordfence says, including redirecting users to a malicious website, hijacking an admin session to create new admins, or adding a backdoor to the site, which could lead to complete site takeover.
With the latter being a high-level threat, Wordfence recommends all affected users to spread the word and raise awareness of the vulnerability.
Stay safe online with the best endpoint protection tools