One flaw found in WordPress plugins Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor is actively being exploited.

UPDATE

Security researchers are warning users of two WordPress plugins – made by Brainstorm Force – that they need to patch a “major” vulnerability that could allow hackers to gain administrative access to any website using the plugins. According to Brainstorm Force, it is only aware of one customer who had its website compromised because of this bug. However, another source is also reported a successful attack since the bug was discovered on Wednesday.

The plugins in question are Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor. Both WordPress plugins are designed to help website publishers easily add advanced designs and user functions to websites built using the specific frameworks Beaver Builder and Elementor.

“[This is] a major vulnerability that could allow hackers to gain admin access to any WordPress website that had the plugin installed. This means hackers can gain full control of your website if you are using the plugin,” wrote security firm MalCare, in a post published Thursday.

MalCare said it discovered the flaw, classified as an authentication bypass bug, on Wednesday and immediately alerted Brainstorm Force the same day. Developers at Brainstorm Force moved fast, releasing a fix for the bug effecting both plugins within seven hours. Patched versions include Ultimate Addons for Beaver Builder (version 1.2.4.1) and Ultimate Addons for Elementor (version 1.20.1).

Under Attack

A research team at web application security firm WebARX said it also began tracking the bug this week and claim hackers are actively exploiting the vulnerability.

“We’ve learned over the forensics that the attackers have been targeting websites with Ultimate Add-ons Elementor plugin since the 10th of December,” WebARX wrote in a company blog post.

WebARX claims that hackers are targeting vulnerable sites and, “uploading tmp.zip file to install fake SEO stats plugin which will then add a wp-xmlrpc.php backdoor to the root directory of the vulnerable website. After the infection, multiple IP’s try to access the wp-xmlrpc.php file.”

Brainstorm Force told Threatpost it doesn’t know for sure how many potential customers are impacted by this bug because the sites using the plugins are hosted on servers outside its purview. “As a hacker needs to know the email address of the [WordPress admin] user, the number of exploits might be low,” a company spokesperson told Threatpost.

Plugin Problems

Security team members explain the vulnerability is present when either the Elementor and Beaver Builder plugins are installed into the WordPress platform. To exploit the bug, all a hacker needs is the email address of an admin user of the site, MalCare explains. Next, so long as the affected plugin is in use, gaining administrator access to the website is as easy as logging into WordPress.

“The vulnerable version of the plugin has a feature that allows people to log in using a regular username/password combination, Facebook and Google, WebARX explained. “However, the Facebook and Google authentication methods did not verify the token returned by Facebook and Google, and since they don’t require a password, there was no password check.”

Brainstorm Force did make a public statement on the Elementor and Beaver Builder bugs. It also told Threatpost, “We’ve released an update and have patched the vulnerable code. Users can apply the patch by updating the plugin in one click. Users who have registered their licence key see an update notification in their WordPress dashboard. All they need to do is click update.”

(This article was updated at 6:15 ET 12/13/2019 with a response from Brainstorm Force.)

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.