Reports on the presence of serious vulnerabilities affecting some WordPress plugins, the most popular of content management systems (CMS) have appeared again. Apparently these flaws are really easy to exploit, so the cybersecurity community tries to spread the word about its existence as soon as possible.
The affected plugin is Ultimate Addons, in its
versions for Elementor and Beaver Builder. This is a Premium tool that allows
WordPress website administrators to access many other plugins, as it also
facilitates the creation and design of websites, making it a very useful tool
for users with less technical knowledge.
Ultimate Addons was developed by Brainstorm Force, a prestigious group of experts who have created dozens of plugins used by thousands of WordPress websites around the world. In addition, Ultimate Addons has hundreds of thousands of active installations.
The issue was detected during a routine
cybersecurity audit. According to the report, exploiting this vulnerability
would allow a threat actor to gain illegitimate access to any WordPress website
with Ultimate Addons installed. In other words, hackers could take full control
of the compromised website if they manage to exploit the flaw.
Security firm MalCare specialists reported the
vulnerability to Team Brainstorm, which immediately began working on a fix. Less
than a day later, the plugin developers released the update and asked their
customers for their immediate installation to rule out any cybersecurity risks.
About the vulnerability
The vulnerability is presented as soon as the
affected plugin is installed on a website. A hacker who knows the email ID of
any user of a WordPress site could craft a special request to take control of
an administrator account. The main risk lies in the ease of collecting the
information needed for the attack.
In case of successfully exploiting the
vulnerability, the threat actor could steal data stored on the WordPress site,
redirect site users to pages of malicious content, advertise or sell illegal
products, among other activities.
The vulnerable version of the plugin is 1.0, so
potentially affected users should upgrade to the latest version depending on
the solution they use:
Beaver Builder, the corrected version is 22.214.171.124
Elementor, the secure version is 1.20.1
Versions prior to those mentioned will keep
WordPress websites exposed to exploiting the flaw. Apparently some cases of
exploitation have already been recorded in the wild. MalCare cybersecurity
specialists recommend that concerned users use any of the tools available to
scan WordPress websites in search of some indication of hacking activity.
Users of this plugin can update it automatically from the wp-admin control panel, mention the specialists of the International Institute of Cyber Security (IICS).
If you can’t update the plugin, there are
multiple security tools to manage or remove compromised plugins from your
Another viable option is to uninstall the
plugin manually. For this, only two simple steps are required:
the latest version of the plugin for Beaver Builder. For the Elementor plugin,
log in to Ultimate Addons and download the updated version
the previous version of your website. For this you need to disable and delete
the plugin. Then proceed to load and install the updated version. This process
does not cause loss of information
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.