Wordfence researchers have disclosed critical flaws in two popular WordPress plugins that could allow an attacker to run arbitrary code and take over the website. In total 7 to 9 million websites could be hacked.
The researchers found flaws in Elementor, a website builder plugin used on more than 7 million sites, and WP Super Cache, a caching plugin used for speeding up WordPress sites used by over 2 million users.
According to Wordfence, the security weakness in Elementor concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which, if successfully exploited, allows to inject a malicious script directly into a vulnerable web application.
The bug stems from the lack of validation of the HTML tags on the server-side. An attacker can add executable JavaScript to a post or page via a special request which will run when another user views the post or page.
“Since posts created by contributors are typically reviewed by editors or administrators before publishing, any JavaScript added to one of these posts would be executed in the reviewer’s browser,” Wordfence said in technical analysis.
Further, they explained if an administrator reviews a post infected with malicious JavaScript, the attacker could use their high-level privilege session to create a new administrator account or add a backdoor to the website. This in the end could lead to site takeover.
Wordfense found multiple HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were vulnerable to the stored XSS attack.
Researchers say because attackers need to add dynamic data to a template for injecting malicious scripts intended to launch XSS attacks, such behavior can be prevented by validating the input and escaping the output data so that the HTML tags passed as inputs are harmless.
Wordfence also found an authenticated remote code execution (RCE) vulnerability in WP Super Cache. The bug could allow an attacker to upload and execute malicious code and gain control over the website.
Wordfence privately disclosed the flaws to plugin makers. Elementor fixed the flaws in version 3.1.4 and released an update on March 8.
Automattic, the maker of the WordPress platform and developer behind WP Super Cache, said it had addressed the “authenticated RCE in the settings page” in version 1.7.2.
All WP users are advised to update the above plugins to the latest versions to mitigate the described vulnerabilities.