Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin

A critical vulnerability has been identified in the WordPress Royal Elementor Addons plugin that could allow a malicious actor to upload any type of file to your website, including backdoors that could then be executed to gain further access.

This vulnerability was discovered and responsibly reported by Fioravante Souza.

The vulnerability is an Arbitrary File Upload vulnerability that occurs in the royal-elementor-addons.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to upload any type of file to the website.

Severity:

The vulnerability has a CVSS 3.1 score of 10.0, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Royal Elementor Addons plugin released prior to version 1.3.79.

Impact:

An attacker who successfully exploits this vulnerability could:

Unrestricted File Upload: Upload any type of file to the affected website, including backdoors that could then be executed to gain further access to the website.
Backdoor Installation: This upload capability can be exploited for installing backdoors, potentially providing long-term access to the website.
Take full control: Unauthorized access to the site can lead to the compromise of its functionality, data, and overall security.

Recommendation:

In response to this highly critical vulnerability, immediate action is mandatory. Here are the steps you should take:

Update the Plugin: Urgently update the Royal Elementor Addons Plugin to the latest available version, specifically version 1.3.79 or a later release. This update contains the essential security fixes required to address the Arbitrary File Upload vulnerability.
Regular Updates: Beyond this specific update, it is imperative to establish a routine of keeping all WordPress plugins and themes up to date. Regular updates are fundamental for maintaining a secure website.
Security Audit: Consider performing a comprehensive security audit of the WordPress website to identify and address any potential vulnerabilities.
Enhance Security Measures: Implement additional security layers such as web application firewalls (WAFs), and stringent authentication procedures, and conduct ongoing security monitoring of the website.

Conclusion:

This vulnerability is a serious threat to the security of WordPress websites that use the Royal Elementor Addons plugin. Users are strongly advised to update to the latest available version (at least 1.3.79) as soon as possible.

Arbitrary File Upload vulnerability in WordPress Royal Elementor Addons Plugin

Severity:

Affected Versions:

Impact:

Related Articles

Broken Access Control vulnerability in WordPress All-in-One WP Migration Google Drive Extension Plugin

Arbitrary File Deletion vulnerability in WordPress WPvivid Backup and Migration Plugin

SQL Injection vulnerability in WordPress Demon image annotation Plugin

Cross-Site Scripting (XSS) vulnerability in WordPress Order Delivery Date for WooCommerce Plugin

Arbitrary File Deletion vulnerability in WordPress ChatBot Plugin

Mitigating High-Severity XSS Vulnerability in Event Tickets Plugin

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin