Hackers are exploiting a flaw in outdated versions of Beaver Builder and Elementor page builder plugins to gain administrative access to WordPress websites. Patches to fix this flaw have been rolled out and users are advised to apply these as soon as possible.
Plugins Flaw Discovery
Security researchers at web security service MalCare discovered the WordPress plugins flaw last week. They reported the flaw to the developers of the affected plugins on the same day. The vulnerable plugins are:
- Ultimate Addons for Elementor version 1.20.0
- Ultimate Addons for Beaver Builder version 2.24.0
The software company Brainstorm Force developed both these plugins. The plugins are designed to help website publishers to add advanced designs and functions to websites powered by the page builders Beaver Builder and Elementor.
MalCare wrote in an article published last week: “[This is] a major vulnerability that could allow hackers to gain admin access to any WordPress website that had the plugin installed. This means hackers can gain full control of your website if you are using the plugin.”
Since the discovery of this vulnerability, there have already been two reported cases of attackers using the WordPress plugins flaw in the wild.
What is the Plugins Flaw?
The vulnerability is in the above-mentioned plugins’ feature that allows WordPress account holders to authenticate via Facebook and Google logins. Even users of administrator accounts can login to WordPress sites using these methods.
By exploiting the plugins flaw in the Facebook or Google login methods, attackers can bypass authentication and gain remote administrative access to WordPress websites without entering a password. This is because “… the Facebook and Google authentication methods did not verify the token returned by Facebook and Google, and since they don’t require a password, there was no password check,” explained WebARX researchers, who also investigated this flaw.
How do Attackers Exploit the Flaw?
According to WebARX researchers, attackers are abusing the flaw to install a fake SEO statistics plugin on the targeted WordPress server. They then save a backdoor file on the site for later access.
Hackers need to guess or retrieve the email address of the WordPress site’s admin user to exploit this vulnerability. However, according to MalCare: “In most cases, this information can be retrieved fairly easily.”
What should Owners of Affected Websites Do?
Both Beaver Builder and Elementor page builders plugins are extremely popular. They currently power hundreds of thousands of WordPress websites around the world. Consequently, Brainstorm Force acted quickly and rolled out fixes to the flaw in both WordPress plugins within hours of the flaw coming to light.
Brainstorm Force fixed the authentication bypass vulnerability with the release of the following patches:
- Ultimate Addons for Elementor version 1.20.1; and
- Ultimate Addons for Beaver Builder version 1.24.1”.
Users running old versions of these plugins are advised to apply the above-mentioned patches as soon as possible. The patches can be applied by clicking the “update” link within WordPress for the respective plugins.
Furthermore, users are advised to change the default admin username in WordPress and use a unique and secure password for all logins. This security precaution should be taken regardless of whether websites are affected by the WordPress plugins flaw or not.