February 12, 2022
1 min read
More than 600 thousand websites that use the Elementor plugin are vulnerable to being targeted by hackers. Because, there is a security vulnerability that is vulnerable to RCE (Remote Command Execution) attacks in the plugin.
Elementor plugin users are advised to update immediately.
Well, in this article, we will explain what happened, as well as the solutions that need to be taken to overcome this security hole.
Security Vulnerabilities in Elementor Plugins
Security vulnerabilities in plugins Essential Addons for Elementor This allows hackers to do local file inclusion (LFI) to execute certain commands.
Later, hackers can insert files containing malicious PHP code into the website system. That way, they can use it to attack RCE (Remote Command Execution).
An RCE attack can take over control of a website’s system. As a result, perpetrators can change, add, or delete important files on the website.
cyber security researcher, Wai Yan Myo Thetfound this vulnerability in the Elementor plugin version 5.0.4 and previous versions.
The existence of this security vulnerability is quite unfortunate considering that Essential Addons for Elementor can help WordPress users organize website components without coding.
What Causes Elementor Security Vulnerabilities?
The source of this plugin’s vulnerability comes from the “dynamic gallery” and “product gallery” widgets, which use the ajax_load_more and ajax_eael_product_gallery.
When the widget is active, there is a gap to run commands with nonce token, or without verification. That way, hackers can take advantage of these loopholes and perform LFI.
So, an attacker can access the target website with an RCE attack, without needing to login. By injecting PHP code into the website, the system can be taken over easily
Solutions You Need
The plugin developer has released two patch updates: 5.0.3 and 5.0.4. However, only in the patch update version 5.0.5the security loophole can be resolved.
Well, because at the time this article was written, the Addons for Elementor plugin had released a version 5.0.7we recommend that you use the most recent version, which is more secure.
You can update manually from the WordPress Dashboard via the menu Updates. Then check if there are any plugins that need to be updated in the section Plugins.
Specifically to deal with attacks like the Elementor plugin, you can apply these steps:
- Save your file paths in a secure database and ID each file path.
- Use file allowlist verified and secure
- Avoid entering files that are vulnerable to being compromised on the website server.
- Set the server to send the download headers automatically, not in a specific directory.
Always Update WordPress Plugins to the Latest Versions!
Security vulnerabilities can arise from popular plugins like Elementor. With a large number of users, the security impact is also large, right?
Therefore, it is important to make sure your website uses the latest version of WordPress, plugins and themes.
Fortunately, for service users Ipadguidesyou can enjoy the features WordPress Auto Updates without the hassle of manual updates. This feature ensures that your WordPress plugins, themes and cores are always updated automatically.
The activation method is also easy, just click the tab Website on the page Member Area Ipadguides. Then, click options Auto Update on tab WordPress Management.
Next, select the option Do Updates in All Available Versions and enable toggle Auto-update WordPress Plugins and Auto-update WordPress Theme. Then, just click the button Updates.
With always updated conditions, your website can be better protected from various WordPress security vulnerabilities.
However, just updating is sometimes not enough considering the number of online crimes. To be more secure, take additional security measures. Anything?
We have summarized it in full in free ebook Powerful Steps to Secure a WordPress Website.
Create by Ipadguides in category of Blog