A security flaw in a popular plugin made it possible for malicious actors to compromise more than a million WordPress websites (opens in new tab), experts have reported.
The vulnerability was discovered on October 4, and patched three days later, on October 7 - with all users (particularly those using versions 2.7.0 and older) now advised to update the plugin to at leas, version 2.7.5.
The WordPress plugin (opens in new tab) allows site owners to integrate prebuilt templates for other website builders (opens in new tab), such as Elementor. For sites with this builder installed, Wordfence discusses an example, it was possible for users with the edit_post capability (such as contributors), to import blocks on the pages through the astra-page-elementor-batch-process AJAX action.
Site takeover a possibility
The elementor_batch_process function associated with this action does perform a nonce check, the researchers further explain, but this was a weak gateway, as the required ajax_nonce was also available to contributors in the page source of the WordPress dashboard.
There are numerous use cases for the flaw, Wordfence says, including redirecting users to a malicious website, hijacking an admin session to create new admins, or adding a backdoor to the site, which could lead to complete site takeover.
With the latter being a high-level threat, Wordfence recommends all affected users to spread the word and raise awareness of the vulnerability.
Stay safe online with the best endpoint protection (opens in new tab) tools