Hackers exploit critical flaw in WordPress Royal Elementor plugin

    A critical vulnerability with a high severity level has been discovered in Royal Elementor Addons and Templates up to version 1.3.78. This vulnerability has been actively exploited by two reputable WordPress security teams. The vendor has not released a patch for this flaw, making it a zero-day exploit. Royal Elementor Addons and Templates, developed by ‘WP Royal’, is a website-building kit that allows users to create web elements without coding knowledge. It is a popular plugin with over 200,000 active installations according to

    The specific flaw, known as CVE-2023-5360 (CVSS v3.1: 9.8 “critical”), enables unauthenticated attackers to perform arbitrary file uploads on vulnerable sites. Even though the plugin has an extension validation feature that restricts uploads to specific permitted file types, unauthenticated users can manipulate the ‘allowed list’ to bypass sanitization and checks. This allows attackers to potentially achieve remote code execution, ultimately compromising the entire website. Detailed technical information about the vulnerability has been withheld in order to prevent widespread exploitation.

    The vulnerability has been targeted to create rogue admin accounts. Two prominent WordPress security firms, Wordfence and WPScan (Automattic), have noted that CVE-2023-5360 has been actively exploited since August 30, 2023, with an increase in attack volume starting on October 3, 2023. Wordfence has reported blocking over 46,000 attacks targeting Royal Elementor in the past month, while WPScan has recorded 889 instances of attackers using ten distinct payloads after leveraging the vulnerability.

    The malicious payloads used in these attacks are mostly PHP scripts that attempt to create a WordPress administrator user named ‘wordpress_administrator’ or act as a backdoor. Most attacks come from just two IP addresses, suggesting that only a few threat actors are aware of this exploit. The vendor of the add-on was notified about the flaw on October 3 and subsequently released version 1.3.79 of Royal Elementor Addons and Templates on October 6, 2023, to address the vulnerability. All users of the add-on are strongly advised to upgrade to this version as soon as possible.

    It is important to note that updating to version 1.3.79 will not automatically remove infections or delete malicious files, so affected websites will need to undergo a thorough cleanup process. If you do not have access to commercial scanning solutions, a free scanner is available to determine your website’s vulnerability to these attacks.

    In conclusion, this critical vulnerability in Royal Elementor Addons and Templates has been actively exploited, allowing attackers to perform arbitrary file uploads and potentially achieve remote code execution. Users are urged to update to version 1.3.79 and conduct a website cleanup if necessary.

    Latest articles

    Related articles