The WordPress site users who are using “Ultimate Addons for Beaver Builder,” or “Ultimate Addons for Elementor” must be cautious, as their sites are prone to be attacked by hackers. These addons are not recently updated to the latest available versions.
A critical but easy-to-exploit authentication bypass vulnerability was found in both largely used premium WordPress plugins that could let remote attackers to attain administrative access to sites without the need of any password.
It is important to note that the attackers have already started exploiting this vulnerability in the wild within 2 days of its discovery in order to compromise vulnerable WordPress websites and install a malicious backdoor for later access.
Both the vulnerable plugins are developed by software development company Brainstorm Force. These plugins are used in more than hundreds of thousands of WordPress websites that helps the website admins and designers to extend the functionality of their websites with more widgets, modules, page templates.
The vulnerability was discovered by researchers at web security service MalCare, and it resides in the way both plugins let WordPress account holders, including administrators, authenticate via Facebook and Google login mechanisms.
As per the vulnerability’s advisory, as there are no authentication checks when a user login via Facebook or Google, vulnerable plugins can be tricked into allowing hackers to login as any other targeted user without requiring any password.
WebARX researchers who have also analyzed the flaw stated that in order to exploit the vulnerability, the hacker just have to use the email ID of an admin user of the site which can be obtained easily.
WebARX confirmed that attackers are abusing this flaw to install a fake SEO stats plugin after uploading a tmp.zip file on the targeted WordPress server, which eventually drops a wp-xmlrpc.php backdoor file to the root directory of the vulnerable site.
After finding the vulnerability, MalCare reported it to the developers who has quickly addressed the issue and released patched versions of both within just 7 hours.
The versions of the plugins that are affected include
Ultimate Addons for Elementor <= 1.20.0
Ultimate Addons for Beaver Builder <= 1.24.0
The authentication bypass vulnerability has been patched with the release of “Ultimate Addons for Elementor version 1.20.1” and “Ultimate Addons for Beaver Builder version 1.24.1”. All the users are recommended to update it at the earliest.