MalCare blocked more than 11000 attempts to exploit the recently discovered Royal Elementor plugin vulnerability. Our firewall protected sites for over a week before the vulnerability was patched and for more than two weeks before it was disclosed. 

This incident is a great showcase of MalCare’s new proactive threat defense capabilities: Atomic Security, which ensures your WordPress sites remain secure 24/7/365.

What happened

From September 29 to October 18, 2023, MalCare blocked over 11000 attempts to attack our customer sites using the Royal Elementor plugin vulnerability. These attacks originated from multiple IPs based all over the world. We also saw a tremendous spike in attack numbers once the vulnerability was disclosed publicly.

Here are the MalCare firewall stats for these attacks (as of October 18, 2023):

The seriousness of these attacks was such that even a single bad request could effectively take over your entire WordPress site. Hence, we would recommend you update the Royal Elementor plugin on your WordPress site immediately.

What is the Royal Elementor WordPress plugin vulnerability

Plugin information

• Vulnerable plugin version: v1.3.78 and earlier
• Patch release version: v1.3.79 and later

About the vulnerability

Royal Elementor is an extension plugin for one of the most popular WordPress page builder plugins. It contains addons, template kits, theme and WooCommerce builders, etc., with a premium version that offers even more features. It boasts a setup that allows users to design their sites without having to write a single line of code.

The vulnerability in the Royal Elementor plugin could potentially allow hackers to upload malicious files on a target website’s server, resulting in Remote Code Execution (RCE) attacks. With an active install count of more than 200,000, this plugin exposed a sizeable number of WordPress sites to the risk of being hacked.

The vulnerability has now been fixed with the release of Royal Elementor v1.3.79 on October 6, 2023.

If you have reason to believe that your site might have been compromised using this vulnerability, we advise you to look for the following files on your site’s servers:

./wp-content/uploads/wpr-addons/forms/b1ack-N.php, where N=1,2,3, and so on

./wp-content/uploads/wpr-addons/forms/index.php

./wp-content/uploads/wpr-addons/forms/wp.php

If you find these files, take immediate action to update the Royal Elementor plugin and install MalCare to remove any traces of malware on your site.

How is your WordPress site at risk

Your WordPress site could be exposed to RCE attacks if it runs the Royal Elementor plugin v1.3.78 or earlier. These RCE attacks allow malicious actors to insert code into your site, gain access to it remotely, turn themselves into site admins, and perform activities that harm your site and expose your as well as your site visitors’ data.

For example, a hacker might install a code on your site that steals information exchanged between your site’s server and your users’ systems. This can lead to loss of private data as well as trust in your site. Moreover, this code could slow down your site while performing its actions, resulting in dismal site delivery, disappointed users, and a fall in search rankings.

RCE attacks are also known for even graver consequences. With full access to your site, hackers could use it to:

• attack other sites, resulting in Google blacklisting it,
• mine cryptocurrency using your site server’s resources, leading to an unresponsive or slow site,
• frustrate users by sending spam phishing emails,
• redirect site visitors to adult websites,
• install backdoors so that even if you update the vulnerable plugin or theme, they can hack it again,
• damage the site beyond repair, making backups crucial for recovering it.

Consequently, addressing this security issue becomes critically important.

Who discovered this vulnerability

The Royal Elementor vulnerability was discovered by WPScan researcher Fioravante Souza on October 3, 2023. Subsequently, WP Royal, the developer of the Royal Elementor plugin, was informed and a patch was released to address this vulnerability for all users on October 6, 2023.

How MalCare’s Atomic Security prevented these hacks

Vulnerabilities pose a risk even before they surface. If they are unearthed by responsible security experts, they can be expected to inform the plugin developers so that a patch can be quickly created. However, if malicious actors find them, potential exploitation of sites is a scary possibility.

Now, virtual patching, while useful in certain scenarios, often falls short. It reacts to threats rather than proactively preventing them, leaning towards a defensive approach instead of a proactive one. As a result, website owners have to rely on the diligence of a firewall provider to release patches in time.

Any time gap between discovering a vulnerability and its patching leaves sites exposed during this interim period. Furthermore, virtual patching serves as a temporary fix for each vulnerability rather than providing a long-term solution.

Concurrently, generic firewalls are toothless when it comes to these vulnerabilities. Their protection, as the name suggests, is quite generic. Addressing these issues requires WordPress-specific rules, something that these firewalls do not possess.

This is where MalCare’s Atomic Security comes in. Its intelligent algorithms and smart rulesets identify patterns in vulnerabilities and stop attacks in their tracks. As a result, vulnerabilities are defended even before plugin developers fix them, as in this case. Together with MalCare’s strong malware-checking features, Atomic Security is a superb defender for your WordPress site.

How else does MalCare protect WordPress sites

Atomic Security is just the beginning of MalCare’s holistic approach to protecting WordPress sites. MalCare also:

• scans your site daily and automatically to detect any malware at the earliest
• uses its strong malware removal utility to eradicate any malicious code that may have found its way into your site
• proactively alerts upon finding vulnerabilities in plugins and themes on your site so that you can address them right away
• provides robust protection against bots to ensure an overall faster site
• adds automatic, offsite backups to form a wholesome security net for your site