Another major WordPress security flaw has been discoverd - so patch now

News
By
published

Significant security flaw found in a popular WordPress add-on

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

A zero-day vulnerability was recently discovered in a highly popular add-on for the WordPress website builder, potentially putting at risk some 200,000 people who are using it. 

Cybersecurity researchers from Wordfence and WPScan (both WordPress security firms) discovered the vulnerability in Royal Elementor Addons and Templates, a website-building add-on kit built by WP Royal.

The vulnerability is tracked as CVE-2023-5360, and has a severity score of 9.8 (critical). By abusing the flaw, threat actors can upload files onto the WP platform, and even bypass different checks the add-on has, such as permitted file types. That, down the road, could enable them to completely take over the vulnerable website (if, for example, they upload a file that allows for remote code execution).

Abused in the wild

The flaw has already been discovered by threat actors, and used in attacks, the researchers added, with attacks starting in late August 2023, with the volume significantly increasing on October 3. 

Wordfence reported identifying and blocking more than 46,000 attacks, while WPScan has seen 889 instances of threat actors dropping ten different payloads. While this might sound like an onslaught, most attacks are coming from just two IP addresses, which could suggest that the flaw is only known to a small number of hackers. 

The researchers reached out to WP Royal on October 3, and a patch was released within three days. To secure their websites, admins are advised to update the Royal Elementor Addons and Templates add-on to version 1.3.79. There are both commercial and free scanning solutions that can help admins determine if their website is susceptible or not, BleepingComputer finds. It’s also worth mentioning that uploading to the newest version won’t automatically remove the infections - admins will need to do so manually.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
WordPress
Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Latest in News
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions
An operator fires a saw blade from a weapon
Call of Duty: Black Ops 6 Season 3 gets two-week delay, will now release in April
Apple iPad A16
Apple's new entry-level iPad ups the performance for the same price, but doesn't support Apple Intelligence
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 might improve on its predecessor in one crucial way
More about security
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
Illustration of a hooked email hovering over a mobile phone

AWS misconfigurations reportedly used to launch phishing attacks
Vado SL 2

Specialized says calling its new Vado SL 2 Alloy an e-bike is still an insult – here's why
See more latest
Most Popular
Vado SL 2
Specialized says calling its new Vado SL 2 Alloy an e-bike is still an insult – here's why
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Next-Gen Google TV
Google TV's Gemini Live support and other updates seemingly confirmed by new user survey – here's what to expect
iPad Air M3
Apple makes one hardware change to the iPad Air that might be the best indicator of its true lightweight tablet intentions
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
An operator fires a saw blade from a weapon
Call of Duty: Black Ops 6 Season 3 gets two-week delay, will now release in April
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
Yasuke rides out, looking over a vibrant forest. A castle can be seen in the background.
Assassin's Creed Shadows requirements for PC and Mac guide
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Wednesday, March 5 (game #633)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Wednesday, March 5 (game #367)