Hackers exploit critical flaw in WordPress Royal Elementor plugin

A high-severity security issue affecting Royal Elementor Addons and Templates until version 1.3.78 is currently being used by two WordPress security teams. Due to the exploitation occurring prior to the vendor's patch release, the vulnerability was utilized by malicious actors as a zero-day.

'WP Royal's Royal Elementor Addons and Templates is a user-friendly website-building toolkit, enabling the easy generation of web elements without requiring coding expertise. As per WordPress.org, it boasts more than 200,000 active installations. The vulnerability, identified as CVE-2023-5360 (CVSS v3.1: 9.8 "critical"), permits unauthorized attackers to execute arbitrary file uploads on susceptible websites. Despite the plugin's functionality that restricts uploads solely to approve file formats, unauthenticated users can manipulate the 'allowed list' to evade sanitation and verification measures. Exploiting this flaw could enable attackers to achieve remote code execution during the file upload process, potentially resulting in a full compromise of the website. Further intricate specifics about the vulnerability have been withheld to deter widespread exploitation.

Exploited to create rogue admin accounts Since August 30, 2023, both Wordfence and WPScan (Automattic), two WordPress security firms, have identified CVE-2023-5360 as actively exploited. The frequency of attacks has intensified notably since October 3, 2023. According to Wordfence, they have successfully thwarted over 46,000 attacks aimed at Royal Elementor within the last month. Additionally, WPScan has documented 889 instances of attackers deploying ten separate payloads subsequent to exploiting the vulnerability.

Recommendations:

1. It is strongly advised that all users of the add-on upgrade to this version at the earliest opportunity.

2. In the absence of access to any commercial scanning solutions, you can utilize the following free scanner: "https://github.com/IRB0T/CVE-Scan/tree/main/CVE2023-5360-Scan" to assess the vulnerability of your website to potential attack

3. It is important to note that simply upgrading the add-on to version 1.3.79 will not automatically eliminate infections or delete any malicious files. Therefore, it is essential to conduct a website cleanup in these instances.