WordPress Royal Elementor plugin exploited by hackers
Take action: If you are using Royal Elementor plugin, start patching immediately, and check the /wpr-addons/forms/ for unexpected PHP files and unknown administrator user accounts.
Learn More
A critical vulnerability has been identified in the "Royal Elementor Addons and Templates" WordPress plugin developed by WP Royal. This plugin is a tool that aids domain administrators in creating websites without the need for coding knowledge and has more than 200,000 active installations on the WordPress marketplace.
The vulnerability, tracked as CVE-2023-5360 (CVSS score 9.8), allows unauthenticated attackers to upload arbitrary files onto sites that use the plugin. Specifically, the plugin's insufficient file type validation in its upload function lets attackers bypass security checks, potentially leading to remote code execution.
This flaw affects all versions of Royal Elementor prior to 1.3.79.
Security firms, including Defiant and Automattic's WPScan team, noted that malicious attacks exploiting this vulnerability have been ongoing since at least August 30th. By the report's time, Defiant had observed over 46,000 attacks aiming to exploit this flaw, and there was a noticeable increase in activity on October 3rd. The primary intention behind these attacks seemed to be the deployment of certain files on the targeted sites, allowing the attackers to create a malicious administrator account.
Most attackers placed at least one malicious file in the /wpr-addons/forms/ directory of compromised websites. The plugin's flawed security mechanism relied on simple extension validation, which attackers could manipulate to upload disallowed file types. Administrators should check this directory for malicious PHP files, specifically those creating a user account named ‘wordpress_administrator’. They also found that some attackers utilized the vulnerability to upload malware to compromised sites.
To address this vulnerability, WP Royal released a patched version 1.3.79 of the plugin on October 6th. It's highly recommended that all users of the plugin update to this version. Note that pdating to the patched version will not automatically remove any infections or malicious files present due to the exploit. Affected websites will require a cleanup to ensure security.
