Half a million WordPress websites vulnerable due to leak in popular plugin

Some 600,000 websites running on WordPress are currently vulnerable due to a leak in a popular plugin. The vulnerability in the Essential Addons for Elementor plugin allows hackers to take over sites remotely through Remote Code Execution (RCE). Website owners are advised to install version 5.0.5 as soon as possible. This closes the leak.

Cybersecurity company Patchstack writes this in a weblog. The vulnerability came to light thanks to security researcher Wai Yan Myo Thet.

Vulnerability in popular WordPress plugin

This is a vulnerability in the Elementor plugin. It is a so-called page builder that developers use to replace the standard WordPress editor. Simply put, this plugin offers more options to set up a site to your own taste.

Over time, many expansions have been released for Elementor. One of them is Essential Addons. Whoever installs this plugin gets more than 80 extra elements and extensions to design his site. It is a popular plugin among website builders: the statistics show that the plugin has been installed on more than one million sites.

Security update available

A vulnerability in Essential Addons allowed unauthorized users to perform a so-called Local File Inclusion Attack. This gives hackers and other malicious parties access to a website and allows them to remotely infect a site with malicious code. This is also known as Remote Code Execution (RCE). The only requirement was that users had enabled the ‘Dynamic Gallery’ and ‘Product Gallery’ widgets.

Security researcher Wai Yan Myo Thet reported the vulnerability to the plugin developer on Tuesday, January 25. He said he was already aware of the vulnerability and was working on an update to close the vulnerability. In total, three minor updates were required to fix the issue.

Website builders who use Elementor with the Essential Addons plugin for their site are advised to install version 5.0.5 as soon as possible. This has now happened more than 380,000 times. That means more than 600,000 WordPress websites are still vulnerable.

Secretary of State: ‘Use of WordPress by government agencies is not a problem’

We regularly hear that WordPress websites are vulnerable due to a vulnerability in a plugin. A leak in File Manager allowed hackers to upload a malicious file to a site running on WordPress. More than 1.7 million sites were left vulnerable overnight.

Concerns have also been expressed in the House of Representatives about the content management system. The reason for this was an investigation by Trouw. The newspaper concluded that the central government, ten municipalities, eight environmental services, five security regions, four regional GGDs, several water boards, the FIOD, customs and the tax authorities ran ‘an extra high risk’ of being hacked. That’s because WordPress uses a login page that is accessible to everyone.

The findings prompted DENK Member of Parliament Stephan van Baarle to put written questions to the then State Secretary for the Interior and Kingdom Relations Raymond Knops. The minister promised the House of Representatives that government organizations could use WordPress with peace of mind: after all, they took good security measures to exclude unauthorized access and misuse.

“I see no objection to the use of individual software packages, such as WordPress, once risk assessments have been made and measures have been taken,” concluded Knops. The State Secretary saw no reason to increase “policy efforts” to increase the digital resilience of government websites.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts