Clarifying the Elementor Arbitary File Upload Vulnerability
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
Recently, a security vulnerability in Elementor, a popular WordPress plugin, made headlines. Two databases rated its severity at a staggering 9.9 and 8.8. This raised immediate concerns, leading to a straightforward action plan: “Stop everything and update Elementor first.” But is it really that simple? Let’s delve into the key questions:
Are millions of Elementor sites at risk?
Is there an urgent need to update your site, risking potential breakdowns?
The Confusion and Misinformation
The vulnerability databases heightened concerns by stating the issue remained unresolved at the time of disclosure. Some even suggested uninstalling the plugin. This sparked a wave of negative sentiment, with claims that millions of sites were at risk of being hacked. For any average user, this situation is undeniably confusing. While recognizing the importance of vulnerability databases, it’s crucial to acknowledge the potential harm caused by sensationalism, especially in the WordPress ecosystem, where misinformation is rampant.
The Reality of the Threat
The vulnerability in question allows contributors to gain Remote Code Execution (RCE) access. Undoubtedly, unauthorized access of this nature is a serious issue. Yet, most hacks originate from external sources, not insiders. While contributors can inflict damage like inserting malware or spam links, our analysis reveals a different story.
We examined the sites under our protection and found only 0.8% have active contributors. More sites have authors and editors, nearly 10% combined, who already possess significant access. Interestingly, less than 0.03% of sites allow outside contributors to register, which are the genuinely vulnerable ones. The distribution of default roles with registration enabled is as follows:
Contributor: 0.036%
Author: 0.032%
Editor: 0.008%
Administrator: 0.12%
Notably, administrator registration being open is often a sign of a previously hacked site.
Addressing Misconceptions
Contrary to claims by another security provider, the number of sites with open contributor registrations is not as high as feared. Fortunately there have been some tweets mentioning the same.
But at same time others are muddying the situation further.
Our Proactive Approach
We’re not suggesting blind trust in all authors, editors, etc. Therefore, we’ve implemented a rule on our firewall to safeguard all sites with the vulnerable plugin. We also recommend having an activity log plugin installed to track the activities of all users on your site. However, we emphasize the need for balanced reporting on such issues to prevent panic.
Answers to the Big Questions
Only around 2,000 sites are truly vulnerable.
If your site isn’t among these 2,000, don’t panic. Updating Elementor is wise, especially if you’re near the latest version. Older versions can be updated systematically.
Bonus Tip: Employ a robust firewall for added protection.
Second Bonus: Avoid falling for sensationalist reporting.
How to Check Your Site’s Vulnerability
To see if your site is open to contributor+ registrations:
In wp-admin, go to Settings > General > Membership.
Check if “Anyone can register” is ticked and the “New User Default Role.”
Our Solution: Atomic Security
WordPress has safeguards against unauthorized privilege escalation, but these can be misconfigured or overridden. That’s where our Atomic Security comes in. By integrating deeply with WordPress and adopting a low-trust approach, we pre-emptively protect against such vulnerabilities.
Category:
Share it:
You may also like
WordPress Site Not Loading: 7 Easy Fixes
You’ve probably experienced a small business’s website crashing during a Black Friday sale. Eager shoppers flood the site all at once causing it to become unresponsive. This is one of…
Solve: The Site Is Experiencing Technical Difficulties
“The site is experiencing technical difficulties” error can feel frustrating. Just when you’re about to update a plugin or upgrade your PHP, this pesky problem appears. And sometimes, it locks…
What the CleanTalk Vulnerability Revealed About Virtual Patching
Last week, we were helping a new MalCare customer with their site. To secure sites and prevent reinfection, you need to plug all the backdoors and resolve vulnerabilities. Otherwise sites…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.