A critical vulnerability has been identified in the WordPress Royal Elementor Addons plugin that could allow a malicious actor to upload any type of file to your website, including backdoors that could then be executed to gain further access.
This vulnerability was discovered and responsibly reported by Fioravante Souza.
The vulnerability is an Arbitrary File Upload vulnerability that occurs in the royal-elementor-addons.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to upload any type of file to the website.
The vulnerability has a CVSS 3.1 score of 10.0, which is considered to be critical. This means that the vulnerability is very likely to be exploited and could have a severe impact on the affected system.
The vulnerability affects all versions of the Royal Elementor Addons plugin released prior to version 1.3.79.
An attacker who successfully exploits this vulnerability could:
- Unrestricted File Upload: Upload any type of file to the affected website, including backdoors that could then be executed to gain further access to the website.
- Backdoor Installation: This upload capability can be exploited for installing backdoors, potentially providing long-term access to the website.
- Take full control: Unauthorized access to the site can lead to the compromise of its functionality, data, and overall security.
In response to this highly critical vulnerability, immediate action is mandatory. Here are the steps you should take:
- Update the Plugin: Urgently update the Royal Elementor Addons Plugin to the latest available version, specifically version 1.3.79 or a later release. This update contains the essential security fixes required to address the Arbitrary File Upload vulnerability.
- Regular Updates: Beyond this specific update, it is imperative to establish a routine of keeping all WordPress plugins and themes up to date. Regular updates are fundamental for maintaining a secure website.
- Security Audit: Consider performing a comprehensive security audit of the WordPress website to identify and address any potential vulnerabilities.
- Enhance Security Measures: Implement additional security layers such as web application firewalls (WAFs), and stringent authentication procedures, and conduct ongoing security monitoring of the website.
This vulnerability is a serious threat to the security of WordPress websites that use the Royal Elementor Addons plugin. Users are strongly advised to update to the latest available version (at least 1.3.79) as soon as possible.