×

Hackers Exploit Critical Vulnerability in Royal Elementor WordPress Plugin

A critical severity vulnerability affecting Royal Elementor addons and templates prior to version 1.3.78 is reportedly being actively exploited by two WordPress security teams.

Since exploitation was observed before the vendor released the patch, hackers exploited this flaw on the created WordPress site as a zero-day.

Royal Elementor Addons and Templates by "WP Royal" is a website-building kit that allows you to quickly create web elements without coding knowledge.

The flaw affecting the add-on is tracked as CVE-2023-5360 (CVSS v3.1: 9.8 "critical"), allowing unauthenticated attackers to perform arbitrary file uploads to vulnerable sites.

Even though the WordPress plugin has extension validation to limit downloads to only certain, allowed file types, unauthenticated users can manipulate the "allowlist" to bypass disinfection and checks.

Attackers can potentially achieve remote code execution with this file upload step, resulting in a complete compromise of the website. Additional technical details about the defect have been withheld to prevent widespread use. Used to create fraudulent administrator accounts.

If you don't have access to any commercial  WordPress virus scanning and scanning solutions  , you can use a scanner to determine your website's vulnerability to attacks.

Keep in mind that updating to version 1.3.79 will not automatically remove infections or malicious files, so in such cases it will be necessary to clean the website, so it is better to contact specialists to check the site for viruses for vulnerabilities.

01Office in Kiev
Kiev, 02068
st. Akhmatova 9/18
02Brovary office
Brovary, 07405
st. Chornovola 2-A
03Work
Mon-Fri 9: 00-18: 00
Sat. 11-00 -16: 00