Critical WordPress Plugin Vulnerability – BeaverBuilder and Elementor Affected

Reading Time: 3 minutes

Are you a WordPress user who has “Ultimate Addons for Beaver Builder” or “Ultimate Addons for Elementor” Installed?

If you have not updated since Wednesday, December 11th 2019, chances are that your website has either been attacked or on the list of vulnerable sites just waiting to be attacked.

What Is The Vulnerability?

Security researchers at MalCare have discovered a critical and easy to exploit vulnerability that allows the attacker to bypass authentication in both of the Ultimate add-ons plugins. This would allow remote attackers administrative access to the site – without needing a password.

Many researchers have reports that one of the worst parts is that the exploit started being found in the wild nearly 2 days of it’s discovery – mainly focused on creating persistent access through back door access the attacker can utilize at a later time.

Hundreds of thousands of WordPress sites are currently using the vulnerable plugin, made by Brainstorm Force, in both their Elementor and Beaver builder frameworks. These plugins have been used over the years to enhance the abilities of site admins through widgets, modules, page templates and other services.

What Does It Do?

These exploits reside in the way that both plugins interface with the WordPress account holder which includes administrators, and authenticates them to both Facebook and Google logins.

Yesterday, our team saw unusual activity among websites. This led our team to find the vulnerability which was being exploited in a few sites.

The vulnerability we found occurs as soon as you install the plugin on your website. If a hacker knows the email ID of any user of a WordPress website, they can craft a special request and gain admin control. 

To exploit the vulnerability, the hacker needs to use the email ID of an admin user of the site. In most cases, this information can be retrieved fairly easily. A few hosting providers also make it easy to find the admin email ID of a website. Hence we have reached out to hosting providers informing them about our discovery to minimize the potential damage.

The vulnerability advisory gives information regarding the lack of authentication checks within the authentication call of when a user login through Facebook or Google is processed, the vulnerable plugins can be tricked into allowing malicious users access without requiring a login, at all.

"However, the Facebook and Google authentication methods did not verify the token returned by Facebook and Google, and since they don't require a password, there was no password check," explained WebARX researchers, who also analysed the flaw and confirmed its active exploitation.

"To exploit the vulnerability, the hacker needs to use the email ID of an admin user of the site. In most cases, this information can be retrieved fairly easily," MalCare said.

The details of the incident were shared from MalCare to The Hacker News, confirming that attackers are abusing this flaw to install a fake SEO stats plugin after uploading a file on the targeted WordPress server, which eventually drops a wp-xmlrpc.php backdoor file to the root directory of the vulnerable site.

While the vulnerability was identified on November 12th, 2019 – the below listed plugin versions have been confirmed as vulnerable and installed on a large number of websites.

Within a few hours of being notified a patch had been released and available for download.

Ultimate Addons for Elementor <= 1.20.0
Ultimate Addons for Beaver Builder <= 1.24.0

The Ultimate Addons For Beaver Builder and Ultimate Addons For Elementor were patched within a few hours of being notified but many installations have yet to be updated.

How Do I Protect Myself?

It is highly recommended that you install the update as soon as possible.

Log into your WordPress Admin Console, go to your Plugins and verify the installed version and if there are any updates available. This process should only take a few moments to complete and protect your site.

Have something to say about this article? Comment below or share it with us on Facebook, Instagram, Twitter or Pinterest.

Leave a Reply

Your email address will not be published. Required fields are marked *