This dangerous WordPress attack threatens millions of websites
A fix has already been deployed
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers have uncovered a serious vulnerability in the popularElementorWordPresswebsite builderthat can potentially allow hackers to take over anywebsitesbuilt using it.
Elementor claims to be used on over seven millionWordPress websites. The stored cross-site scripting vulnerability was discovered by Wordfence, who develop security solutions includingpluginsto protect WordPress.
“These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to addJavaScriptto posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator,” explains Wordfence.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Click here to start the survey in a new window«
Now patched
Wordfence disclosed the vulnerability to Elementor last month, and it has since been patched.
What made the vulnerability particularly dangerous was that it could be exploited even by someone with Contributor permissions on aWordPress website. Contributors have the least number of administrative privileges.
Wordfence discovered that several elements in the Elementor editor weren’t validated on the server side, which could allow malicious users to roll executable JavaScript to a page. When an administrator opens the post for review, the script would execute and use the high-level privileges to create a new malicious administrator account.
The researchers suggest that the solution to preventing this type of vulnerability is to enforce a list of allowed HTML tags on the server side, rather than just on the client side. “Indeed, this is the approach the patched version uses to correct the issue”, concludes Wordfence.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:WPTavern
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Squarespace just launched its biggest update ever. I asked what that means for your business
Shopify just made it easier to access all your financial tools in one place
Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set
