A critical vulnerability in Royal Elementor Addons for WordPress
has been actively exploited since late August. The insufficient filetype
validation flaw can be exploited to allow unauthenticated arbitrary
file up-loads. The plugin has been installed on more than 200,000
websites. Users are urged to ensure they have updated to version 1.3.79.
The flaw, which is fixed in version 1.3.79, allowed for arbitrary upload of PHP files with malicious content, allowing remote exploitation, and a complete takeover of a site. Make sure that you've updated your Royal Elementor plugin. The WordPress WAF already had protections, in the paid and free versions, to prevent the upload of files with malicious content, even so, make sure you've got the updated plugin, or that you've uninstalled it if no-longer used.
Another week, another announcement of a WordPress plugin vulnerability. Given that the vulnerability is actively being exploited and carries a CVSS rating of 9.8, users of the website building kit should download the update and patch immediately. If you wish to roll the dice, use the free scanner to see if your website is vulnerable first.
Read more in:
- www.wordfence.com: PSA: Critical Unauthenticated Arbitrary File Upload Vulnerability in Royal Elementor Addons and Templates Being Actively Exploited
- www.bleepingcomputer.com: Hackers exploit critical flaw in WordPress Royal Elementor plugin
No comments:
Post a Comment