Security Expert Re: Critical RCE WordPress Flaw May Affect 500K+ Sites

A critical RCE flaw identified in the Elementor WordPress plugin could 500k or more sites. its critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers. A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different. Plugin Vulnerabilities has also published a proof of concept (PoC) to prove the exploitability, increasing the risk of vulnerable websites to be compromised.

Experts Comments

April 14, 2022
Pravin Madhani
Co-founder and CEO
K2 Cyber Security

WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of eCommerce sites, so why aren’t they better equipped to protect against attack?  In particular, RCE is one of the most dangerous flaws, because it gives the attacker the ability to run almost any code on the hacked site.  

Traditional application security tools like Web Application Firewalls (WAFs) have a tough time with RCE attacks because they rely

.....Read More

WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of eCommerce sites, so why aren’t they better equipped to protect against attack?  In particular, RCE is one of the most dangerous flaws, because it gives the attacker the ability to run almost any code on the hacked site.  

Traditional application security tools like Web Application Firewalls (WAFs) have a tough time with RCE attacks because they rely on understanding a past RCE attack or signature in order to detect a new zero day attack.  By sitting closer to the application, runtime solutions have a better understanding of the application’s execution, so are better equipped to identify and stop RCE and other attacks listed on the OWASP Top 10.

For maximum protection, organizations using WordPress should make sure they use security in depth, including application, network and system level security. Finally, the simplest thing any organization can do to help reduce vulnerabilities is to keep their code (WordPress, plugins, SQL server-MySQL/MariaDB, web server-NGINX/Apache) up to date and patched.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.