A million WordPress sites are at risk due to plugin vulnerability

News
By
published

Complete WordPress site takeover a real possibility, experts warn

WordPress website
(Image credit: Shutterstock/Koshiro K)

A security flaw in a popular plugin made it possible for malicious actors to compromise more than a million WordPress websites, experts have reported.

According to the Wordfence Threat Intelligence team, a vulnerability in the Starter Templates - Elementor, Gutenberg & Beaver Builder Templates plugin, allowed contributor-level users to completely overwrite any page on the site, and embed malicious JavaScript at will.

The vulnerability was discovered on October 4, and patched three days later, on October 7 - with all users (particularly those using versions 2.7.0 and older) now advised to update the plugin to at leas, version 2.7.5.

The WordPress plugin allows site owners to integrate prebuilt templates for other website builders, such as Elementor. For sites with this builder installed, Wordfence discusses an example, it was possible for users with the edit_post capability (such as contributors), to import blocks on the pages through the astra-page-elementor-batch-process AJAX action.

Site takeover a possibility

The elementor_batch_process function associated with this action does perform a nonce check, the researchers further explain, but this was a weak gateway, as the required ajax_nonce was also available to contributors in the page source of the WordPress dashboard.

In theory, a malicious actor could create and host a block with malicious JavaScript on a server, and then use it to overwrite any post or page, by sending an AJAX request with the action set to astra-page-elementor-batch-process, and the URL parameter set towards the remotely hosted malicious block.

Consequently, the malicious JavaScript could get executed in the visitor’s browser.

There are numerous use cases for the flaw, Wordfence says, including redirecting users to a malicious website, hijacking an admin session to create new admins, or adding a backdoor to the site, which could lead to complete site takeover.

With the latter being a high-level threat, Wordfence recommends all affected users to spread the word and raise awareness of the vulnerability. 

Stay safe online with the best endpoint protection tools

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
WordPress
Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites
Latest in Website Building
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Weebly vs Wix: Which offers a better free plan?
Wix Business Launcher vs GoDaddy Airo: What's better for businesses?
Wix Business Launcher vs GoDaddy Airo: Which is better for small businesses?
Wix AI vs Squarespace Blueprint: Who has the better AI?
Wix AI vs Squarespace Blueprint: Which website builder has better AI?
Hostinger logo
Grab an impressive 15% off your Hostinger website builder plan for a limited time
Latest in News
Nintendo Switch 2
A Nintendo Switch 2 FCC filing confirms Wi-Fi 6 and NFC support for the upcoming console
Google Pixel 8 review Pixel 8 Pro cameras
Is your Google Pixel 9 screen flickering or are the haptics a lot more intense? You aren't alone, and thankfully there's a fix
Motorola Edge 50 Pro lavender
Your next Android bargain? Major Motorola leak teases details of multiple 2025 phones – including the Edge 60 series
Matt Murdock holding a phone to his right ear in a prison in Daredevil: Born Again episode 2
What time is Daredevil: Born Again episode 3 going to be released on Disney+?
A close-up of the PS5 Pro
PS5 Pro games will soon get something 'very similar' to FSR 4 for what Sony is calling 'the next evolution of PSSR'
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
More about website building
Hostinger Website Builder vs WordPress.com: Which is better?

Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders

Wix Business Launcher vs GoDaddy Airo: What's better for businesses?

Weebly vs Wix: Which offers a better free plan?
Motorola Edge 50 Pro lavender

Your next Android bargain? Major Motorola leak teases details of multiple 2025 phones – including the Edge 60 series
See more latest
Most Popular
Motorola Edge 50 Pro lavender
Your next Android bargain? Major Motorola leak teases details of multiple 2025 phones – including the Edge 60 series
A close-up of the PS5 Pro
PS5 Pro games will soon get something 'very similar' to FSR 4 for what Sony is calling 'the next evolution of PSSR'
Matt Murdock holding a phone to his right ear in a prison in Daredevil: Born Again episode 2
What time is Daredevil: Born Again episode 3 going to be released on Disney+?
Nintendo Switch 2
A Nintendo Switch 2 FCC filing confirms Wi-Fi 6 and NFC support for the upcoming console
Two business men playing chess in the office.
It turns out ChatGPT o1 and DeepSeek-R1 cheat at chess if they’re losing, which makes me wonder if I should I should trust AI with anything
Google Pixel 8 review Pixel 8 Pro cameras
Is your Google Pixel 9 screen flickering or are the haptics a lot more intense? You aren't alone, and thankfully there's a fix
AMD RX 9070 GPU models
Modders do what AMD can't (or won't) by adding FSR 4 support to more games
Where to buy Xbox Series X stock pre-orders
The next Xbox console is reportedly now 'fully in production' and targeting a 2027 release
Representational image of a cybercriminal
Criminals are spreading malware disguised as DeepSeek AI
The logo of the social media app Bluesky is seen on the screen of a mobile phone
Bluesky gets a massive video upgrade to tempt X fans who are frustrated by its cyberattack outages