WordPress, the popular CMS has been powering more than half of websites on the internet now. Its users can access thousands of plugins to enhance the performance of their site, security researchers have found a critical vulnerability in two plugins made by the same company. These allow hackers to log in to anyone’s site easily and exploit it.
MalCare team has surfaced this vulnerability and reported this to Brainstorm Team, the maker of these two plugins: Ultimate Addons for Elementor and Ultimate Addons for For Beaver Builder. These two are used by thousands of websites to design the site easily and enhance performance. The reporting of vulnerability led makers to release the patches with 7 hours and inform customers. Here’s how it got.
After bypassing the login authentication, attackers are uploading a tmp.zip file to install fake SEO statistics. This allows them to add a special backdoor from the site’s root directory as “wp-xmlrpc.php“. After this, multiple IPs can try accessing it whenever they want from the backdoor set.
How They Do It?
These plugins use a login system of using Google/Facebook, aside from username and password combination. While the latter one is strong enough to be cracked, most if the users follow the former one for easy access. And this made hackers to login easily too.
Facebook/Google methods don’t verify the token returned by their process and have no password to authenticate further. So the Email ID or users’ Facebook ID is enough to login in easily. This led hackers to login to WordPress account of users (even admin) just by their email IDs, which can be obtained easily as many directories maintain them publicly.
Letting the hacker in, he could be in charge of the whole site and can steal data, sell counterfeit/illegal products, redirect visitors to spam sites, etc. The MalCare team has already identified a few instances of these attackers exploiting some sites since day one (i.e, December 10th). You can check the settings info of these plugins in your site or install any third-party service to check. You can get the MalCare security plugin for scanning so.
Currently, the vulnerable versions are 1.0. You can update them from below links to Version 1.2.4.1 (for Beaver Builder) and Version 1.20.1 (for Elementor) to stay secured. You can download the latest patches of these plugins. Install them here:
The links are of one-click downloads with simple procedure guided for easy installation.
Source: MalCare
