A zero-day vulnerability was recently discovered in a highly popular add-on for the WordPress website builder, potentially putting at risk some 200,000 people who are using it. 

Cybersecurity researchers from Wordfence and WPScan (both WordPress security firms) discovered the vulnerability in Royal Elementor Addons and Templates, a website-building add-on kit built by WP Royal.

The vulnerability is tracked as CVE-2023-5360, and has a severity score of 9.8 (critical). By abusing the flaw, threat actors can upload files onto the WP platform, and even bypass different checks the add-on has, such as permitted file types. That, down the road, could enable them to completely take over the vulnerable website (if, for example, they upload a file that allows for remote code execution).

Abused in the wild

The flaw has already been discovered by threat actors, and used in attacks, the researchers added, with attacks starting in late August 2023, with the volume significantly increasing on October 3. 

Wordfence reported identifying and blocking more than 46,000 attacks, while WPScan has seen 889 instances of threat actors dropping ten different payloads. While this might sound like an onslaught, most attacks are coming from just two IP addresses, which could suggest that the flaw is only known to a small number of hackers. 

The researchers reached out to WP Royal on October 3, and a patch was released within three days. To secure their websites, admins are advised to update the Royal Elementor Addons and Templates add-on to version 1.3.79. There are both commercial and free scanning solutions that can help admins determine if their website is susceptible or not, BleepingComputer finds. It’s also worth mentioning that uploading to the newest version won’t automatically remove the infections – admins will need to do so manually.

Via BleepingComputer

More from TechRadar Pro

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums

Advantages of overseas domestic helper.