Clarifying the Elementor Arbitary File Upload Vulnerability

by

7-layers of Security for Your WordPress Site

Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.

Recently, a security vulnerability in Elementor, a popular WordPress plugin, made headlines. Two databases rated its severity at a staggering 9.9 and 8.8. This raised immediate concerns, leading to a straightforward action plan: “Stop everything and update Elementor first.” But is it really that simple? Let’s delve into the key questions:

Are millions of Elementor sites at risk?
Is there an urgent need to update your site, risking potential breakdowns?

The Confusion and Misinformation

The vulnerability databases heightened concerns by stating the issue remained unresolved at the time of disclosure. Some even suggested uninstalling the plugin. This sparked a wave of negative sentiment, with claims that millions of sites were at risk of being hacked. For any average user, this situation is undeniably confusing. While recognizing the importance of vulnerability databases, it’s crucial to acknowledge the potential harm caused by sensationalism, especially in the WordPress ecosystem, where misinformation is rampant.

The Reality of the Threat

The vulnerability in question allows contributors to gain Remote Code Execution (RCE) access. Undoubtedly, unauthorized access of this nature is a serious issue. Yet, most hacks originate from external sources, not insiders. While contributors can inflict damage like inserting malware or spam links, our analysis reveals a different story.

We examined the sites under our protection and found only 0.8% have active contributors. More sites have authors and editors, nearly 10% combined, who already possess significant access. Interestingly, less than 0.03% of sites allow outside contributors to register, which are the genuinely vulnerable ones. The distribution of default roles with registration enabled is as follows:

Contributor: 0.036%
Author: 0.032%
Editor: 0.008%
Administrator: 0.12%


Notably, administrator registration being open is often a sign of a previously hacked site.

Addressing Misconceptions


Contrary to claims by another security provider, the number of sites with open contributor registrations is not as high as feared. Fortunately there have been some tweets mentioning the same.

But at same time others are muddying the situation further.

Our Proactive Approach


We’re not suggesting blind trust in all authors, editors, etc. Therefore, we’ve implemented a rule on our firewall to safeguard all sites with the vulnerable plugin. We also recommend having an activity log plugin installed to track the activities of all users on your site. However, we emphasize the need for balanced reporting on such issues to prevent panic.

Answers to the Big Questions


Only around 2,000 sites are truly vulnerable.
If your site isn’t among these 2,000, don’t panic. Updating Elementor is wise, especially if you’re near the latest version. Older versions can be updated systematically.
Bonus Tip: Employ a robust firewall for added protection.
Second Bonus: Avoid falling for sensationalist reporting.

How to Check Your Site’s Vulnerability


To see if your site is open to contributor+ registrations:

In wp-admin, go to Settings > General > Membership.
Check if “Anyone can register” is ticked and the “New User Default Role.”

Our Solution: Atomic Security

WordPress has safeguards against unauthorized privilege escalation, but these can be misconfigured or overridden. That’s where our Atomic Security comes in. By integrating deeply with WordPress and adopting a low-trust approach, we pre-emptively protect against such vulnerabilities.

Category:

You may also like


WPMU DEV Review: Features, Pricing and Details
WPMU DEV Review: Features, Pricing and Details

In a world where time is money, you want tools that save you time, giving you room to make more money. When you manage multiple WordPress sites, your task list…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.