Many websites are built using the WordPress platform and one of the most popular plug-ins for this platform is Elementor. It is so popular that it can be found on over five million websites. Recently, a vulnerability allowing attackers to upload arbitrary PHP (Hypertext Preprocessor) code that would enable a full website takeover, was discovered in Elementor (beginning with version 3.6.0). This vulnerability was made possible due to a lack of satisfactory security measures within a new ‘Onboarding’ wizard feature. A case like this only highlights the importance of implementing proper cyber security measures.
What caused the vulnerability?
The issues were caused because there was a failure to use capability checks within the plug-in. Makers of website plug-ins are obliged to code capability checks as these act as a security layer. Capability checks review permission levels of users when they are logged in to a relevant website. Website users are assigned ‘User Roles’ which can include the likes of an admin, editor, and subscriber. For example, website subscribers should not have the ability to access posts to edit them but may be able to write a comment below said posts, and a capability check should highlight if the permission level is being breached.
A new module introduced to version 3.6.0 of Elementor failed to include any capability checks. Therefore, full-site takeovers were made possible as the capability check function was missing from the plug-in which would prevent unauthorised users from making changes to the site. This is a problem as WordPress states the importance of capability checks in their handbook:
My WordPress site uses Elementor — what should I do?
As the threat was introduced to Elementor version 3.6.0, any previous version of the plug-in will not be impacted by the vulnerability. However, it is always recommended that plug-ins are frequently updated so that your website is fully optimised. Our expert webmastering services ensure that your website is always up to date. At this stage, we would recommend updating to Elementor 3.6.4 as the Elementor Changelog states that this version fixes issues related to the Onboarding Wizard Module which caused this vulnerability in version 3.6.0.
What other cyber security measures should I be taking?
Cyber security is now as important as hosting, web design, and domain management. It is essential for the safety and security of your online business and this recent threat to Elementor identifies how crucial it is to keep your website secure. Sometimes, for business owners, technical website elements can slip past the radar. At teclan, we ensure that your website is protected and prepared — whether you’re building an entirely new site or looking to migrate an existing website, we work hard to ensure your site is as secure as possible. Our Gatekeeper packages go a long way to ensure your website is protected against malicious attacks while our webmastering services make sure your site is on top of the technical game.