• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
critical bug found in wordpress plugin for elementor with over

Critical Bug Found in WordPress Plugin for Elementor with Over a Million Installations

You are here: Home / General Cyber Security News / Critical Bug Found in WordPress Plugin for Elementor with Over a Million Installations
February 2, 2022

A WordPress plugin with above one particular million installs has been identified to comprise a critical vulnerability that could result in the execution of arbitrary code on compromised web sites.

The plugin in question is Vital Addons for Elementor, which provides WordPress internet site homeowners with a library of more than 80 aspects and extensions to assist style and design and customize web pages and posts.

“This vulnerability permits any person, no matter of their authentication or authorization status, to execute a neighborhood file inclusion attack,” Patchstack stated in a report. “This attack can be applied to incorporate community files on the filesystem of the internet site, these as /and so on/passwd. This can also be employed to perform RCE by like a file with destructive PHP code that ordinarily can’t be executed.”

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Automatic GitHub Backups

That mentioned, the vulnerability only exists if widgets like dynamic gallery and item gallery are applied, which use the vulnerable operate, ensuing in community file inclusion – an attack strategy in which a web software is tricked into exposing or working arbitrary files on the webserver.

The flaw impacts all variations of the addon from 5..4 and underneath, and credited with getting the vulnerability is researcher Wai Yan Myo Thet. Subsequent accountable disclosure, the security gap was at last plugged in version 5..5 introduced on January 28 “after various insufficient patches.”

The advancement comes weeks soon after it emerged that unidentified actors tampered with dozens of WordPress themes and plugins hosted on a developer’s web site to inject a backdoor with the goal of infecting further more web pages.

Discovered this article interesting? Follow THN on Fb, Twitter  and LinkedIn to browse additional exclusive content we article.


Some components of this write-up are sourced from:
thehackernews.com

Previous Post: «fbi: use a burner phone at the olympics FBI: Use a Burner Phone at the Olympics
Next Post: Hacker Group ‘Moses Staff’ Using New StrifeWater RAT in Ransomware Attacks hacker group 'moses staff' using new strifewater rat in ransomware»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month
  • Ransomware Gangs Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • CTEM is the New SOC: Shifting from Monitoring Alerts to Measuring Risk
  • Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network
  • New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
  • AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar
  • Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction
  • Non-Human Identities: How to Address the Expanding Security Risk
  • ConnectWise to Rotate ScreenConnect Code Signing Certificates Due to Security Risks

Copyright © TheCyberSecurity.News, All Rights Reserved.