Another major WordPress security flaw has been discoverd - so patch now

Sead Fadilpašić

Tue, Oct 17, 2023, 11:57 AM2 min read

Wordpress brand logo on computer screen. Man typing on the keyboard.

A zero-day vulnerability was recently discovered in a highly popular add-on for the WordPress website builder, potentially putting at risk some 200,000 people who are using it.

Cybersecurity researchers from Wordfence and WPScan (both WordPress security firms) discovered the vulnerability in Royal Elementor Addons and Templates, a website-building add-on kit built by WP Royal.

The vulnerability is tracked as CVE-2023-5360, and has a severity score of 9.8 (critical). By abusing the flaw, threat actors can upload files onto the WP platform, and even bypass different checks the add-on has, such as permitted file types. That, down the road, could enable them to completely take over the vulnerable website (if, for example, they upload a file that allows for remote code execution).

Abused in the wild

The flaw has already been discovered by threat actors, and used in attacks, the researchers added, with attacks starting in late August 2023, with the volume significantly increasing on October 3.

Wordfence reported identifying and blocking more than 46,000 attacks, while WPScan has seen 889 instances of threat actors dropping ten different payloads. While this might sound like an onslaught, most attacks are coming from just two IP addresses, which could suggest that the flaw is only known to a small number of hackers.

The researchers reached out to WP Royal on October 3, and a patch was released within three days. To secure their websites, admins are advised to update the Royal Elementor Addons and Templates add-on to version 1.3.79. There are both commercial and free scanning solutions that can help admins determine if their website is susceptible or not, BleepingComputer finds. It’s also worth mentioning that uploading to the newest version won’t automatically remove the infections - admins will need to do so manually.

Via BleepingComputer

More from TechRadar Pro

Thousands of WordPress sites have been hit by another major plugin flaw - find out if you're at risk
Here's a list of the best firewalls today
These are the best ransomware protection tools right now

Walmart CEO started his career unloading trailers at the warehouse—he says he got promotion after promotion by raising his hand when his boss was out of town
Walmart's CEO went from earning $6.50 an hour to $25 million a year—here are his three tips for climbing the corporate ladder like him
Fortune•21h ago
Trump to set interest rates himself under secret presidential plan
Donald Trump’s aides have drawn up secret plans to oust the chairman of the Federal Reserve and allow the president to set interest rates, according to reports.
The Telegraph•14h ago
2 Stock-Split Stocks to Buy Hand Over Fist Right Now
These proven wealth builders could be exactly what you're searching for right now.
Motley Fool•18h ago
Analysts revamp Microsoft stock price target after earnings
Here's what could happen next to Microsoft shares.
TheStreet•8h ago
Housing supply surges by up to 50% in these metro areas — and many sellers are being forced to slash their asking prices
The property report includes 85 major metropolitan areas in the U.S. with populations of at least 750,000.
MarketWatch•22h ago
Bank of America lays out the exact scenario that could finally pop the stock market's AI bubble
It's been an "everything buy bonds" bull rally in markets for months, but BofA is cautiously watching a couple of indicators.
Business Insider•6h ago
U.S. panic over national debt might mark a culture shift—are Americans becoming more ‘European’ about money?
Jamie Dimon and Jerome Powell are taking the European viewpoint on soaring debt levels in the U.S.
Fortune•20h ago
If I Had to Construct a Portfolio of Just 5 ETFs, Here's Exactly What I'd Buy Right Now
It's possible to construct a winning long-term investment strategy with just low-cost index funds.
Motley Fool•23h ago
Departing top Tesla exec cashes out almost his entire stake for $181 million as longtime bull Ron Baron calls bottom in the stock
Baron, whose largest position is in Tesla, is betting the new shift in strategy for Tesla’s low-cost car will fill its increasingly empty factories.
Fortune•19h ago
Want $2,000 in Annual Dividends? Invest $30,000 in These 3 Stocks
Put your money to work by investing in these three high-quality dividend stocks.
Motley Fool•20h ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Yahoo Finance

Another major WordPress security flaw has been discoverd - so patch now

Abused in the wild

More from TechRadar Pro

Recommended Stories

Walmart CEO started his career unloading trailers at the warehouse—he says he got promotion after promotion by raising his hand when his boss was out of town

Trump to set interest rates himself under secret presidential plan

2 Stock-Split Stocks to Buy Hand Over Fist Right Now

Analysts revamp Microsoft stock price target after earnings

Housing supply surges by up to 50% in these metro areas — and many sellers are being forced to slash their asking prices

Bank of America lays out the exact scenario that could finally pop the stock market's AI bubble

U.S. panic over national debt might mark a culture shift—are Americans becoming more ‘European’ about money?

If I Had to Construct a Portfolio of Just 5 ETFs, Here's Exactly What I'd Buy Right Now

Departing top Tesla exec cashes out almost his entire stake for $181 million as longtime bull Ron Baron calls bottom in the stock

Want $2,000 in Annual Dividends? Invest $30,000 in These 3 Stocks