Researchers have disclosed flaws in two popular WordPress plugins that affect over 7 million websites that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.
Flaws in Two Popular WordPress Plugins
According to Wordfence, which discovered the security weaknesses in Elementor, the bug concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occurs when a malicious script is injected directly into a vulnerable web application.
Given that the flaws take advantage of the fact that dynamic data entered in a template could be leveraged to include malicious scripts intended to launch XSS attacks, such behavior can be thwarted by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.
Separately, an authenticated remote code execution (RCE) vulnerability was discovered in WP Super Cache that could allow an adversary to upload and execute malicious code with the goal of gaining control of the site. The plugin is reported to be used on more than two million WordPress sites.
Following responsible disclosure on February 23, Elementor fixed the issues in version 3.1.4 released on March 8 by hardening “allowed options in the editor to enforce better security policies.” Likewise, Automattic, the developer behind WP Super Cache, said it addressed the “authenticated RCE in the settings page” in version 1.7.2.
It’s highly recommended that users of the plugins update to the latest versions to mitigate the risk associated with the flaws.
If you find it interesting, you can read about Hackers Are Targeting Microsoft Exchange Servers With Ransomware
What is Elementor?
Elementor is a drag-and-drop page builder for WordPress. This plugin helps you create beautiful pages using a visual editor. It’s designed for you to build dynamic websites quickly.
This WordPress plugin is an all-in-one solution letting you control every part of your website design in a single platform. You can customize your website to fit your brand with motion effects, multiple fonts, and enhanced background images.
What is WP Super Cache?
WP Super Cache is a popular free caching plugin for WordPress users.
A caching plugin needs to generate a cached version of pages without taking too much of your server resources. Most caching plugins generate a cached file when a page is requested for the first time. After that, they keep those files stored for a pre-defined duration.
Caching is an advanced process, a plugin needs to make it easier even for non-technical users. The options can be extensive but they need to be presented with a clear user interface and lots of explanation.