• Login
Fintedex — Business, Fincance & Investment News
  • Contact
  • About us
No Result
View All Result
  • Contact
  • About us
No Result
View All Result
Fintedex — Business, Fincance & Investment News
No Result
View All Result
Home Technology

Critical WordPress plugin bug leaves millions of sites open to attack

Timothy Wilson by Timothy Wilson
29.09.2022
in Technology
0
Critical WordPress plugin bug leaves millions of sites open to attack
0
SHARES
12
VIEWS
Share on FacebookShare on Twitter

A new, dangerous vulnerability in a popular WordPress plugin was recently discovered. Cybersecurity researchers from Wordfence uncovered a flaw in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code.

Elementor is one of the most popular plugins for WordPress, installed on more than five million websites. 

The plugin was recently upgraded to version 3.6.0, which introduced, among other things, a new Onboarding module, whose goal was to simplify the plugin’s initial setup. However, the researchers discovered the module using an “unusual” method to register AJAX actions, with no capability checks.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Executing malicious code

“There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users,” the researchers explain.

Consequently, any logged-in user could use any of the onboarding functions. That being said, an attacker could, for example, create a malicious “Elementor Pro” plugin zip, and use the onboarding functions to install it. The site would then execute any code present in the plugin, including code designed to take over the site, or access additional resources on the server. 

The functions could also be used to completely deface the site, it was added.

Read more

> WordPress plugin exposes half a million sites to attack

> Elementor website builder review

> Elementor launches Cloud Website product for WordPress websites

The good news is that the flaw is not present in any Elementor versions prior to 3.6.0, and the patch for the bug is already available. 

On April 12, the team published the 3.6.3. version of the plugin, with Wordfence urging all Elementor users to upgrade their plugins as soon as possible. 

Being one of the most popular plugins for WordPress, Elementor is often a target for bug hunters and threat actors.

In early February, cybersecurity researcher Wai Yan Muo Thet discovered a vulnerability in the Essential Addons for Elementor plugin – a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.

  • Looking for a place to host your website? These are the best services right now

Previous Post

Amazon is publishing new mobile games for the first time since 2015

Next Post

Here’s how to take fantastic iPhone 13 Pro macro photos, according to award-winners

Related Posts

Bondstream
Technology

Bondstream™ receives Prestigious Nomination for the 2023 Go Global Awards

by Lillie Hull
07.06.2023
This James Webb telescope image may be hiding more than just the stars
Technology

This James Webb telescope image may be hiding more than just the stars

by Timothy Wilson
29.09.2022
New God of War Ragnarok abilities revealed, including incinerating blades
Technology

New God of War Ragnarok abilities revealed, including incinerating blades

by Timothy Wilson
29.09.2022
DualSense Edge: everything you need to know about the PS5 pro controller
Technology

DualSense Edge: everything you need to know about the PS5 pro controller

by Timothy Wilson
29.09.2022
Bluehost vs GoDaddy: Two top web hosting providers compared
Technology

Bluehost vs GoDaddy: Two top web hosting providers compared

by Timothy Wilson
29.09.2022
Next Post
Here’s how to take fantastic iPhone 13 Pro macro photos, according to award-winners

Here's how to take fantastic iPhone 13 Pro macro photos, according to award-winners

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Browse by Category

  • Business
  • Opinion
  • Stock Market
  • Technology
  • Без рубрики

Fintedex delivers real-time news about the financial industry: feature stories, industry developments, opinions plus the latest on people and trends.

Categories

  • Business
  • Opinion
  • Stock Market
  • Technology
  • Без рубрики

Recent Posts

  • What to Include in Your Small Business Emergency Preparedness Plan
  • How to Develop a Winning Content Marketing Plan
  • Where to Discover New Trends in Your Industry for Business Growth

© 2021 Fintedex. Submit news release

No Result
View All Result
  • Contact
  • About us

© 2021 Fintedex. Submit news release

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?