A vulnerability in a WordPress extension makes it possible to take control of the targeted site. Attacks have already been made.
One of the most popular plug-ins for creating a WordPress site contains a flaw that directly endangers owners. This is the alert issued by the cybersecurity company PatchStack, which published on May 11 in a blog post a report on the Elementor extension.
The compromised module, “Essential Addons for Elementor”, a sort of catalog for customizing pages, has been added by more than a million sites using WordPress, a platform that makes it very easy to have a functional website. WordPress has become a must today: millions of websites use it.
The breach allows attackers to initiate a password reset for administrators, and therefore take control of their platform. ” This vulnerability is due to the fact that this reset function does not use any deactivation key of the previous password, and directly modifies that of the user concerned. “, can we read in the report.
The consequences of such a vulnerability are potentially serious. These range from unauthorized access to private information, defacement or removal of websites, distribution of malware to visitors and brand repercussions such as loss of trust.
Attackers must know a username to log into the WordPress platform of the target site before launching their operation, which is quite easy to find today. Another possible danger: go through a service provider to build your site who will not be aware of this vulnerability. The Akamai company has already noted XSS attacks — an injection of malicious code into a site — based on this flaw.
An online fix
A patch of Essential Addons for Elementor has been released and made available on this page. It is recommended that all users of this module upgrade to the latest version as soon as possible. Flaws in WordPress extensions are common given the high number of solutions offered today to customize your site.
Attacks have already taken place after similar vulnerabilities, generally by injection of malicious code, and most often without serious consequences. Nevertheless, a poorly secured site can offer a lot of data that can potentially be exploited or resold later.
Subscribe for free to Artificials, our AI newsletter, designed by AIs, verified by Numerama!