Hackers target "critical" vulnerabilities in WordPress plugins

Latest campaign targets Elementor Pro and Ultimate Addons for Elementor

WordPress app icon on iOS device

WordPress has become an increasingly popular target for hackers. Most recently, cybercriminals have diligently exploited an array of security vulnerabilities within specific WordPress plugins with the goal of remotely executing arbitrary code and compromising unpatched targets.

According to Cyware, Wordpress plugin Elementor Pro has fallen prey to such attacks. With over 1 million active installations, the plugin’s vulnerability has been listed as “critical.”

By using a remote code execution bug, hackers with registered user access can upload arbitrary files to targeted sites and execute code remotely. After exploiting the flaw, hackers can then install backdoors that allow them to control access to the impacted sites and even erase them completely. 

Ultimate Addons for Elementor, a WordPress plugin with over 110,000 installations, also appears to be impacted. A vulnerability within this plugin allows the Elementor Pro vulnerability to be further exploited, even if the site doesn’t have user registration enabled. 

Cyware has deduced that Wordpress sites with unidentified subscriber-level users may have been compromised as part of this hack. Cyware encourages users to check their site for files named “wp-xmlrpc.php,” which could indicate the site has been compromised. 

Fortunately, Elementor has released patches related to these vulnerabilities included in version 2.9.4, which users can download now. Meanwhile, users of the Ultimate Addons for Elementor plugin can upgrade to version 1.24.2 to protect themselves from threats. 

All in all, WordPress appears to be having some difficulty keeping hackers off its platform. Bleeping Computer recently reported an attack that included upward of 900,000 WordPress sites. The attacks sought to redirect visitors to malvertising sites or plant backdoors if an administrator was currently logged in.

According to the report, the attacks were the work of a single actor who leveraged 24,000 IP‌ addresses to send malicious requests to the impacted sites.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020
The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
iPhone 12 lineup official with A14 Bionic chip and 5G support
Mobile Phones

iPhone 12 lineup official with A14 Bionic chip and 5G support

13 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020