The developer of a popular WordPress plugin has updated its product to fix a critical vulnerability that could be exploited to change the appearance of websites.
Elementor is marketed as a leading website building platform for WordPress, enabling over five million users to easily create websites for themselves or their business without writing any code.
However, last week researchers at security firm Plugin Vulnerabilities discovered suspicious activity related to the plugin.
“We couldn’t find any recent disclosed vulnerabilities that should explain that, so we started doing our standard checks we do in a situation where a hacker may be exploiting an unfixed vulnerability in a plugin,” the firm explained.
“What we immediately found was that plugin isn’t handling basic security right, as we found many functionalities where capabilities checks were missing where they shouldn’t. While some of those where not accessible to users that shouldn’t have access, we found at least one that is and the functionality accessible leads to one of the most serious types of vulnerabilities, remote code execution (RCE).”
It turned out the bug was introduced in version 3.6.0 of the plugin, released on March 22, meaning around 1.5 million users were impacted.
The vulnerability can be exploited by authenticated attackers with access to the WordPress admin dashboard, but it’s possible that it could also be used by threat actors not logged in, Plugin Vulnerabilities warned.
It appears to enable attackers to completely change the appearance of a targeted site by altering elements, including the name, logo, images and theme.
Fortunately, Elementor has now released version 3.6.3 to fix the issue, which users are urged to download. Plugin Vulnerabilities has published a proof-of-concept, making patching more urgent.
K2 Cyber Security CEO, Pravin Madhani, said organizations running WordPress sites must layer up security.
“WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of eCommerce sites, so why aren’t they better equipped to protect against attack?” he argued.
“For maximum protection, organizations using WordPress should make sure they use security in depth, including application, network and system level security. Finally, the simplest thing any organization can do to help reduce vulnerabilities is to keep their code up to date and patched.”