Wordfence researchers have disclosed critical flaws in two popular WordPress plugins that could allow an attacker to run arbitrary code and take over the website. In total 7 to 9 million websites could be hacked.
The researchers found flaws in Elementor, a website builder plugin used on more than 7 million sites, and WP Super Cache, a caching plugin used for speeding up WordPress sites used by over 2 million users.
According to Wordfence, the security weakness in Elementor concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which, if successfully exploited, allows to inject a malicious script directly into a vulnerable web application.
Wordfense found multiple HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were vulnerable to the stored XSS attack.
Researchers say because attackers need to add dynamic data to a template for injecting malicious scripts intended to launch XSS attacks, such behavior can be prevented by validating the input and escaping the output data so that the HTML tags passed as inputs are harmless.
Wordfence also found an authenticated remote code execution (RCE) vulnerability in WP Super Cache. The bug could allow an attacker to upload and execute malicious code and gain control over the website.
Wordfence privately disclosed the flaws to plugin makers. Elementor fixed the flaws in version 3.1.4 and released an update on March 8.
Automattic, the maker of the WordPress platform and developer behind WP Super Cache, said it had addressed the “authenticated RCE in the settings page” in version 1.7.2.
All WP users are advised to update the above plugins to the latest versions to mitigate the described vulnerabilities.