New critical vulnerabilities found in WordPress plugins

Reports on the presence of serious vulnerabilities affecting some WordPress plugins, the most popular of content management systems (CMS) have appeared again. Apparently these flaws are really easy to exploit, so the cybersecurity community tries to spread the word about its existence as soon as possible.

The affected plugin is Ultimate Addons, in its versions for Elementor and Beaver Builder. This is a Premium tool that allows WordPress website administrators to access many other plugins, as it also facilitates the creation and design of websites, making it a very useful tool for users with less technical knowledge.

Ultimate Addons was developed by Brainstorm Force, a prestigious group of experts who have created dozens of plugins used by thousands of WordPress websites around the world. In addition, Ultimate Addons has hundreds of thousands of active installations.

The issue was detected during a routine cybersecurity audit. According to the report, exploiting this vulnerability would allow a threat actor to gain illegitimate access to any WordPress website with Ultimate Addons installed. In other words, hackers could take full control of the compromised website if they manage to exploit the flaw.

Security firm MalCare specialists reported the vulnerability to Team Brainstorm, which immediately began working on a fix. Less than a day later, the plugin developers released the update and asked their customers for their immediate installation to rule out any cybersecurity risks.

About the vulnerability

The vulnerability is presented as soon as the affected plugin is installed on a website. A hacker who knows the email ID of any user of a WordPress site could craft a special request to take control of an administrator account. The main risk lies in the ease of collecting the information needed for the attack.

In case of successfully exploiting the vulnerability, the threat actor could steal data stored on the WordPress site, redirect site users to pages of malicious content, advertise or sell illegal products, among other activities.

The vulnerable version of the plugin is 1.0, so potentially affected users should upgrade to the latest version depending on the solution they use:

  • In Beaver Builder, the corrected version is 1.2.4.1
  • For Elementor, the secure version is 1.20.1

Versions prior to those mentioned will keep WordPress websites exposed to exploiting the flaw. Apparently some cases of exploitation have already been recorded in the wild. MalCare cybersecurity specialists recommend that concerned users use any of the tools available to scan WordPress websites in search of some indication of hacking activity.

Users of this plugin can update it automatically from the wp-admin control panel, mention the specialists of the International Institute of Cyber Security (IICS).

If you can’t update the plugin, there are multiple security tools to manage or remove compromised plugins from your WordPress website.

Another viable option is to uninstall the plugin manually. For this, only two simple steps are required:

  • Download the latest version of the plugin for Beaver Builder. For the Elementor plugin, log in to Ultimate Addons and download the updated version
  • Uninstall the previous version of your website. For this you need to disable and delete the plugin. Then proceed to load and install the updated version. This process does not cause loss of information