Table of Contents
Details of the Royal Elementor Plugin Vulnerability
A critical-severity vulnerability has been observed in the Royal Elementor Addons and Templates WordPress plugin, which has been exploited as a zero-day affecting WordPress websites. The plugin, developed by WP Royal, functions as an essential tool for domain admins as it allows them to build websites without any coding experience. It is crucial to note that the Royal Elementor plugin enjoys massive usage with more than 200,000 active installations on the WordPress marketplace.
Explanation of the Exploited Bug
The exploited bug has been designated as CVE-2023-5360, earning a high CVSS score of 9.8. The flaw rests in an insufficient file type validation process in the plugin's upload function. This flaw can be disastrous as it allows unauthenticated attackers to upload completely arbitrary files to vulnerable sites, a loophole that opens the floodgates leading to remote code execution.
Implications of the Royal Elementor Plugin Flaw
The discovered flaw affects all Royal Elementor versions before version 1.3.79. According to WordPress security firm Defiant, this vulnerability has been heavily exploited in multiple malicious attacks since August 30. The firm has witnessed over 46,000 attack attempts exploiting this flaw, with a sudden surge in activity on October 3. Most attacks originate from three different IP addresses, deploying files to create a malicious administrator account.
Patch and Protective Measures against the Vulnerability
The plugin corrected the flaw in its version 1.3.79, released on October 6. To ensure website safety, administrators and site owners should promptly update to Royal Elementor version 1.3.79, which has patched the vulnerability. Furthermore, Automattic's WPScan team recommends checking the /wpr-addons/forms/ directory for the existence of malicious PHP files, specifically files that create a user account named ‘wordpress_administrator'.
Specifics of the Vulnerability Exploitation
The critical vulnerability in the Royal Elementor plugin has been under exploit in malicious attacks since August 30. This alarmingly high rate of exploitation has put countless WordPress websites at risk. WordPress security firms like Wordfence and WPScan have been tracking these attacks and have found alarming trends.
Rising Attack Trends and Patterns
Wordfence reports that in the past month, they have successfully blocked over 46,000 attacks targeting Royal Elementor. On the other hand, WPScan has documented 889 cases in which attackers used this vulnerability as leverage to drop ten distinct, and potentially harmful, payloads. The notable increase in the volume of attacks began on October 3, indicating a continuous threat to WordPress sites.
Origin of Attacks and Intended Impact
The majority of these attacks are originating from merely three separate IP addresses. This suggests that the exploit may only be known to a limited number of threat actors operating from these locations. The main aim of these attacks is to deploy files that create a malicious administrator account, giving attackers unwanted control over the target sites.
Update and Scanning Precautions
The vulnerability was addressed as soon as it was discovered, and full details of the threat were provided to the plugin vendor on October 3. Following this, a patched version of the plugin, Royal Elementor Addons and Templates version 1.3.79, was released on October 6. All users of the add-on are strongly recommended to update to this patched version at the earliest to ensure their site's safety. Additionally, users can utilize a free scanner to check their website's level of susceptibility to attacks. It is crucial to understand that updating to the patched version may not remove existing infections or delete malicious files, hence a thorough website cleanup is recommended.
Malicious Activities Identified in the Exploit
A variety of malicious activities have been identified by security researchers related to the exploitation of the Royal Elementor plugin vulnerability. These harmful actions pose serious threats to WordPress websites, potentially allowing attackers to gain unauthorized access and control.
Deployment of Malicious Files
During the attacks, at least one malicious file was found to be deployed into the /wpr-addons/forms/ directory. WordPress administrators observing unusual shifts in their websites' functionality should consider this as a potential sign of their site being compromised. The files deployed carry malicious content designed to exploit the site and further the attackers' motives.
Creation of Rogue User Accounts
Particularly concerning is the presence of malicious PHP files, including one that creates a user account named 'wordpress_administrator.' Such accounts provide attackers a backdoor into the system, allowing them to gain full administrator privileges and control over the website. The newly created user accounts provide the attackers a base to stage further attacks or exploit the website for their gain.
Uploading of Malware to Compromised Websites
Beyond just creating rogue accounts, the vulnerability has also been exploited to upload malware onto compromised WordPress websites. This malicious software serves various harmful purposes, like extracting sensitive data, slowing down website performance, and using the website as a hub to launch additional cyber-attacks. Detecting and removing such malware is crucial for WordPress administrators to mitigate the risk of significant damage to their websites.
Prevention and Patching of the Vulnerability
With the continuous malicious exploitation of the Royal Elementor plugin vulnerability, it is imperative for website administrators to take prompt action to mitigate the risks and prevent further damage.
Updating Royal Elementor
Administrators and website owners are strongly advised to update to the Royal Elementor version 1.3.79 as soon as possible. This version, released on October 6, successfully patches the identified vulnerability. Updating this plugin is a crucial step in ensuring the security of WordPress websites and reducing their susceptibility to attacks exploiting this particular vulnerability.
Checking for Malicious Files
Apart from updating the plugin, site administrators also need to take proactive steps to detect existing compromises. They should examine the /wpr-addons/forms/ directory for any signs of malicious files, especially those creating a user account named 'wordpress_administrator'. Identifying and removing such files is a necessary measure in rectifying the after-effects of the vulnerability's exploitation.
Given the severity and widespread presence of the Royal Elementor plugin, vigilance and immediate action are crucial to protect against hackers looking to exploit this vulnerability.
