December 12, 2023 at 09:30AM
Two popular WordPress plugins, Elementor and Backup Migration, have been found to have critical remote code execution (RCE) vulnerabilities, affecting over 5 million users. Elementor’s RCE flaw was due to an authenticated arbitrary file upload issue, while Backup Migration’s CVE-2023-6553 vulnerability was exploited to include malicious PHP code. Updated versions have been released, and site owners are strongly advised to update promptly.
Key takeaways from the meeting notes:
– Two popular WordPress plugins, Elementor and Backup Migration, have been found to have critical remote code execution (RCE) vulnerabilities.
– Elementor, with over 5 million active installations, was found to have an authenticated arbitrary file upload defect that enables RCE. The issue was identified in version 3.17.3 and an incomplete patch was included in version 3.18.1, but the complete fix was released in version 3.18.2.
– Backup Migration, which has over 90,000 active installations, has a vulnerability (CVE-2023-6553) in the /includes/backup-heart.php file, allowing for RCE without authentication. This was addressed with the release of versions 1.3.8.
– Site owners, administrators, and developers are advised to update to the latest versions of Elementor and Backup Migration to mitigate the security risks posed by these vulnerabilities.
– It’s crucial to note that unpatched vulnerabilities in WordPress plugins are often exploited by threat actors, and therefore prompt action is recommended to avoid potential attacks.
Let me know if you need any further clarification or if there’s anything else I can assist you with regarding this.