Critical Flaw in Popular WordPress Plugin Leaves Over 200,000 Sites at Risk

The popular WordPress plugin "Royal Elementor Addons and Templates" by WP Royal has been found to harbor a critical flaw that could place over 200,000 websites at risk.

This alarming discovery was made by two WordPress security teams, WordFence and WPScan (Automattic), who reported that malicious actors are actively exploiting the vulnerability, making the threat ominously direct.

High Severity Flaw Exploited as Zero-Day

The flaw, identified as CVE-2023-5360, has been classified with a CVSS v3.1 score of 9.8, marking it as "Critical." It lets unauthenticated attackers upload arbitrary files on vulnerable websites, thanks to a loophole in the extension validation mechanism designed to limit uploads to only certain permitted file types.

The vulnerability was leveraged as a zero-day, indicating that threat actors were exploiting it even before the vendor could roll out a patch.

"The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.3.78," according to WordFence's security advisory. "This is due to insufficient file type validation in the handle_file_upload() function called via AJAX which allows attackers to supply a preferred filetype extension to the allowed_file_types parameter, with a special character, which makes it possible for the uploaded file to bypass their filter list. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."

Active Exploitation Traced Back to Late August

The security teams traced the active exploitation of the flaw back to Aug. 30; however, the volume of attacks significantly increased starting Oct. 3.

WordFence reportedly blocked over 46,000 attacks targeting this plugin within the past month, while WPScan identified 889 instances of attackers exploiting the flaw. Perpetrators deployed a variety of malicious payloads, primarily PHP scripts acting as backdoors or attempting to create rogue administrator accounts.

Urgent Call to Update to the Latest Plugin Version

The vendor was notified of the exploit on Oct. 3, then released version 1.3.79 of the plugin with a patch to address the vulnerability on Oct. 6.

All users of the impacted plugin are strongly advised to update to the latest version to mitigate the risk of an attack. However, for those whose websites have already been compromised, merely updating the plugin may not resolve the infection, and a thorough cleanup operation may be essential to restore website security.