Posted on December 15, 2019 at 8:29 AM
A recent report from security researchers, Brainstorm Force, revealed that vulnerability in some WordPress plugins could lead to cyber-attacks on affected sites. Ultimate Addons for Elementor and Ultimate Addons for Beaver are the two plugins that are currently vulnerable to hackers, the researchers said.
The security researchers have warned WordPress users that hackers are using vulnerable plugins to gain access to the administrative section to their websites. The researchers are warning users to patch up the vulnerability to prevent the takeover of their sites by hackers.
Brainstorm Force said that it has only recorded one incident where a customer has his website breached as a result of the bug. But it has received another report of a successful attack after the first report it received on Wednesday.
A serious vulnerability could give hackers Admin Access
The plugin vulnerability could give hackers complete access to the admin section of the WordPress publisher. However, it will only affect websites with those susceptible plugins installed. In a post published by Malware on Thursday, Hackers could gain complete access to WordPress websites that have these vulnerable plugins installed.
They can gain full control of the admin section and lock the owners out. This explains why vulnerability is a serious thing that should be fixed on time, said Malcare. In the meantime, it is warning publishers that have these plugins installed on their website to be more security conscious of the fact that the plugins are vulnerable.
Malcare said the flaw was discovered on Wednesday and contacted Brainstorm Force on the discovery on Thursday. It termed the flaw authentication bypass bug.
Brainstorm Force developers reacted swiftly to the alert and released a correction for the bug that affected both plugins within a few hours. It has already released versions that could patch the plugin (version 1.20.1 Elementor ultimate Addons and Version 188.8.131.52 for Beaver Builder Addons).
Other research teams also tracking the bug
WebARX, another security research team, stated that it started tracking the activities of the bug. The team revealed that hackers have started taking advantage of the plugin’s vulnerability. According to the research team, the hackers started targeting sites with these plugin vulnerabilities from December 10.
WebEx stated that the attackers are installing bogus SEO stats plugins by uploading tmp.zip file. The plugin will then add a .php backdoor to the vulnerable website’s root directory.
Number of customers affected not known
According to Brainstorm Force, the number of affected customers is not known yet. The research team pointed out that it could not verify the number of customers since it doesn’t have access to the servers hosting the vulnerable sites. But Brainstorm Force stated that the number of affected sites could be low since the hacker still needs to get access to the victim’s email address. Only a few admin users may have compromised their site, especially those with easy admin user login details.
Brainstorm Force revealed that the sites become vulnerable when the admin installs the Beaver Builder and Elementor plugins into their WordPress platform. The hacker would then require only the email address of the site’s admin user to exploit the bug, according to MalCare.
Whenever the vulnerable plugin is in use, the hacker will have easy access to the user’s website admin section. MalCare said that the plugin’s vulnerable version has a feature that gives access to potential attackers. They can use a regular username and password combination to log into the website’s admin. It also allows for Google and Facebook authentication method. But WebEx stated that those authentication methods do not have any password check, because they don’t require a password.
Affected users can apply the patch for the bug
Both of the vulnerable plugins are developed to help WordPress publishers easily add user functions and advanced designs to their sites. The publishers can use specific frameworks Elementor and Beaver, to add these functions to their sites.
Already, Brainstorm Force has informed the public on the vulnerabilities and the efforts it has made to patch the bug. Users will be able to block potential attackers by applying the patched bug and updating the plugin in their sites, according to Brainstorm Force.