Security researchers are warning of a critical-severity vulnerability in the Royal Elementor Addons and Templates WordPress plugin that has been exploited as a zero-day for more than a month.
Developed by WP Royal, the plugin helps domain admins build their websites without any coding experience. Royal Elementor has more than 200,000 active installations on the WordPress marketplace.
The exploited bug, tracked as CVE-2023-5360 (CVSS score of 9.8), is described as an insufficient file type validation in the plugin’s upload function, allowing unauthenticated attackers to upload arbitrary files to vulnerable sites, leading to remote code execution.
The flaw impacts all Royal Elementor versions prior to 1.3.79 and, according to WordPress security firm Defiant, has been exploited in malicious attacks since at least August 30.
To date, the security firm has seen more than 46,000 attacks attempting to exploit this vulnerability, with an increase in activity observed on October 3.
Most attacks, Defiant says, came from three different IP addresses and were aimed at deploying specific files on the target sites, to create a malicious administrator account.
According to Automattic’s WPScan team, which identified and reported the vulnerability, the attackers were seen deploying at least one malicious file into the /wpr-addons/forms/ directory.
The plugin, Automattic explains, relied on a simple extension validation to ensure that only certain file types could be uploaded, but which allowed unauthenticated users to manipulate the list of allowed extensions.
“Upon investigation we found that wp_unique_filename WordPress function performs file name and extensions sanitization and, when combined with the file_validity function, would enable bad actors to manipulate the input and bypass the checks,” Automattic notes.
Site admins should check the /wpr-addons/forms/ directory for the presence of malicious PHP files, including one file creating a user account named ‘wordpress_administrator’.
Automattic also observed that threat actors have been exploiting the vulnerability to upload malware to the compromised websites.
Administrators and site owners are advised to update to Royal Elementor version 1.3.79, which patches the vulnerability. The patched version has been available since October 6.