Blogging Tips

Critical RCE vulnerability detected in WordPress Elementor plugin


Elementor, a WordPress website builder plugin, with over five million active installations, was found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites.

The plugin vulnerability, which was disclosed last week, was introduced in version 3.6.0 which was released on March 22, 2022. Approximately 37% of plugin users are on version 3.6.x.

“This means that the website can execute malicious code provided by the attacker. In this case, it is possible that someone who is not logged into WordPress can exploit the vulnerability, but anyone who is logged into WordPress and has access to the WordPress admin panel can easily exploit it.” the researchers said.

The issue is related to a case of arbitrary file uploads on affected websites, which could lead to code execution.

The vulnerability was fixed in the latest version of Elementor, and Patchstack said that “This vulnerability could allow any authenticated user, regardless of authorization, to change the site title, the site logo, change the Elementor theme, and worst of all, upload arbitrary files to the site.”

The disclosure comes more than two months after Essential Addons for Elementor was found to contain a critical vulnerability that could result in arbitrary code execution on compromised websites.

donations

Thank you for supporting free knowledge! You can donate the amount you want.

Bitcoin: bc1q4sw9260twfcxatj8mjp7358cyvrf8whzlelyhj

Litecoins: LbFduJmHvQXcpCnwfUT7aJ4DYoWSL3iQw8

Dogecoin: DQQyKHdtvFiB4zW87Kvp9Wna3bcyL3ukQz

BCH: qqnkqcu8sa90zuuzd2nvdrslgdv3u5ta6cy4ch0rnq

Ethereum: 0xFb93D2a3c9d1A0b83EE629c2dE1725BCa192e581

Bank transfer Mexico: CLABE: 646180192143715428 in the name of Masterhacks LATAM, Bank: STP

Related Articles

Leave a Reply

Your email address will not be published.