A zero-day vulnerability was recently discovered in a highly popular add-on for the WordPress website builder, potentially putting at risk some 200,000 people who are using it.
Cybersecurity researchers from Wordfence and WPScan (both WordPress security firms) discovered the vulnerability in Royal Elementor Addons and Templates, a website-building add-on kit built by WP Royal.
The vulnerability is tracked as CVE-2023-5360, and has a severity score of 9.8 (critical). By abusing the flaw, threat actors can upload files onto the WP platform, and even bypass different checks the add-on has, such as permitted file types. That, down the road, could enable them to completely take over the vulnerable website (if, for example, they upload a file that allows for remote code execution).
Abused in the wild
The flaw has already been discovered by threat actors, and used in attacks, the researchers added, with attacks starting in late August 2023, with the volume significantly increasing on October 3.
Wordfence reported identifying and blocking more than 46,000 attacks, while WPScan has seen 889 instances of threat actors dropping ten different payloads. While this might sound like an onslaught, most attacks are coming from just two IP addresses, which could suggest that the flaw is only known to a small number of hackers.
The researchers reached out to WP Royal on October 3, and a patch was released within three days. To secure their websites, admins are advised to update the Royal Elementor Addons and Templates add-on to version 1.3.79. There are both commercial and free scanning solutions that can help admins determine if their website is susceptible or not, BleepingComputer finds. It’s also worth mentioning that uploading to the newest version won’t automatically remove the infections - admins will need to do so manually.
More from TechRadar Pro
- Thousands of WordPress sites have been hit by another major plugin flaw - find out if you're at risk
- Here's a list of the best firewalls today
- These are the best ransomware protection tools right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.