Critical vulnerability in popular WordPress plugin exposes millions of sites to hacking
A critical vulnerability in a highly popular WordPress plugin has exposed millions of websites to hacking.
Discovered by researchers at Plugin Vulnerabilities and detailed April 12, the vulnerability was found in Elementor, a WordPress plugin that allows users to build websites with more than 5 million active installations. The vulnerability was found in version 3.6.0 of the plugin, introduced on March 22, with about a third of the sites using Elemantor to run the vulnerable version when the vulnerability was found.
The vulnerability is caused by an absence of a critical access check in one of the plugin’s files, which is loaded on every request, even if users are not logged in. Because the check does not occur, access to the file and hence the plugin is open to all and sundry, including bad actors.
SiliconAngle tapped K2’s CEO and Co-Founder, Pravin Madhani for commentary.