A critical RCE flaw identified in the Elementor WordPress plugin could 500k or more sites. its critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers. A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different. Plugin Vulnerabilities has also published a proof of concept (PoC) to prove the exploitability, increasing the risk of vulnerable websites to be compromised.
WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of eCommerce sites, so why aren’t they better equipped to protect against attack? In particular, RCE is one of the most dangerous flaws, because it gives the attacker the ability to run almost any code on the hacked site.
Traditional application security tools like Web Application Firewalls (WAFs) have a tough time with RCE attacks because they rely on understanding a past RCE attack or signature in order to detect a new zero day attack. By sitting closer to the application, runtime solutions have a better understanding of the application’s execution, so are better equipped to identify and stop RCE and other attacks listed on the OWASP Top 10.
For maximum protection, organizations using WordPress should make sure they use security in depth, including application, network and system level security. Finally, the simplest thing any organization can do to help reduce vulnerabilities is to keep their code (WordPress, plugins, SQL server-MySQL/MariaDB, web server-NGINX/Apache) up to date and patched.