A million WordPress sites are at risk due to plugin vulnerability

WordPress website
(Image credit: Shutterstock/Koshiro K)

A security flaw in a popular plugin made it possible for malicious actors to compromise more than a million WordPress websites, experts have reported.

According to the Wordfence Threat Intelligence team, a vulnerability in the Starter Templates - Elementor, Gutenberg & Beaver Builder Templates plugin, allowed contributor-level users to completely overwrite any page on the site, and embed malicious JavaScript at will.

The vulnerability was discovered on October 4, and patched three days later, on October 7 - with all users (particularly those using versions 2.7.0 and older) now advised to update the plugin to at leas, version 2.7.5.

The WordPress plugin allows site owners to integrate prebuilt templates for other website builders, such as Elementor. For sites with this builder installed, Wordfence discusses an example, it was possible for users with the edit_post capability (such as contributors), to import blocks on the pages through the astra-page-elementor-batch-process AJAX action.

Site takeover a possibility

The elementor_batch_process function associated with this action does perform a nonce check, the researchers further explain, but this was a weak gateway, as the required ajax_nonce was also available to contributors in the page source of the WordPress dashboard.

In theory, a malicious actor could create and host a block with malicious JavaScript on a server, and then use it to overwrite any post or page, by sending an AJAX request with the action set to astra-page-elementor-batch-process, and the URL parameter set towards the remotely hosted malicious block.

Consequently, the malicious JavaScript could get executed in the visitor’s browser.

There are numerous use cases for the flaw, Wordfence says, including redirecting users to a malicious website, hijacking an admin session to create new admins, or adding a backdoor to the site, which could lead to complete site takeover.

With the latter being a high-level threat, Wordfence recommends all affected users to spread the word and raise awareness of the vulnerability. 

Stay safe online with the best endpoint protection tools

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.