CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



WordPress Websites Hacked via Royal Elementor Plugin Zero-Day

A critical vulnerability in the Royal Elementor WordPress plugin has been exploited as a zero-day since August 30.

Security researchers are warning of a critical-severity vulnerability in the Royal Elementor Addons and Templates WordPress plugin that has been exploited as a zero-day for more than a month.

Developed by WP Royal, the plugin helps domain admins build their websites without any coding experience. Royal Elementor has more than 200,000 active installations on the WordPress marketplace.

The exploited bug, tracked as CVE-2023-5360 (CVSS score of 9.8), is described as an insufficient file type validation in the plugin’s upload function, allowing unauthenticated attackers to upload arbitrary files to vulnerable sites, leading to remote code execution.

The flaw impacts all Royal Elementor versions prior to 1.3.79 and, according to WordPress security firm Defiant, has been exploited in malicious attacks since at least August 30.

To date, the security firm has seen more than 46,000 attacks attempting to exploit this vulnerability, with an increase in activity observed on October 3.

Most attacks, Defiant says, came from three different IP addresses and were aimed at deploying specific files on the target sites, to create a malicious administrator account.

According to Automattic’s WPScan team, which identified and reported the vulnerability, the attackers were seen deploying at least one malicious file into the /wpr-addons/forms/ directory.

The plugin, Automattic explains, relied on a simple extension validation to ensure that only certain file types could be uploaded, but which allowed unauthenticated users to manipulate the list of allowed extensions.

Advertisement. Scroll to continue reading.

“Upon investigation we found that wp_unique_filename WordPress function performs file name and extensions sanitization and, when combined with the file_validity function, would enable bad actors to manipulate the input and bypass the checks,” Automattic notes.

Site admins should check the /wpr-addons/forms/ directory for the presence of malicious PHP files, including one file creating a user account named ‘wordpress_administrator’.

Automattic also observed that threat actors have been exploiting the vulnerability to upload malware to the compromised websites.

Administrators and site owners are advised to update to Royal Elementor version 1.3.79, which patches the vulnerability. The patched version has been available since October 6.

Related: Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin

Related: Recently Patched TagDiv Plugin Flaw Exploited to Hack Thousands of WordPress Sites

Related: Vulnerability in WordPress Migration Plugin Exposes Websites to Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...