Researchers have disclosed vulnerabilities in multiple WordPress plugins that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.
According to Wordfence, which discovered the security weaknesses in Elementor, the bug concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occurs when a malicious script is injected directly into a vulnerable web application.
Given that the flaws take advantage of the fact that dynamic data entered in a template could be leveraged to include malicious scripts intended to launch XSS attacks, such behavior can be thwarted by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.
Separately, an authenticated remote code execution (RCE) vulnerability was discovered in WP Super Cache that could allow an adversary to upload and execute malicious code with the goal of gaining control of the site. The plugin is reported to be used on more than two million WordPress sites.
Following responsible disclosure on February 23, Elementor fixed the issues in version 3.1.4 released on March 8 by hardening “allowed options in the editor to enforce better security policies.” Likewise, Automattic, the developer behind WP Super Cache, said it addressed the “authenticated RCE in the settings page” in version 1.7.2.
It’s highly recommended that users of the plugins update to the latest versions to mitigate the risk associated with the flaws.
At Raptor IT Consultants, our goal is establishing a foundation for your business network that empowers its users to work efficiency, while leveraging technologies that save time and money, and offering scalable IT solutions that work with any business model. With more than 15 years overseeing our customers IT service needs, offering a dedicated IT support helpdesk bundled with affordable managed IT services, and website development; Our experienced, Microsoft certified IT consultants strive to exceed expectations by offering a immersive yet simple IT support experience.