- Two popular “Ultimate Addons” plugins allow hackers to take full control of WordPress websites.
- The only thing that the attacker would require is the administrator’s email ID, which is easy to source.
- Users are advised to use only the necessary tools and to keep their software up to date through patching.
Malcare researchers have discovered two critical and highly severe vulnerabilities that underpin the “Ultimate Addons for Elementor” and “Ultimate Addons for Beaver Builder” WordPress plugins. Ultimate Addons is a widely-used plugin that allows WordPress website designers to create their websites a lot faster and easier. Hundreds of thousands of websites out there have been built using Ultimate Addons, as these tools enable non-tech-savvy to reach the desired results without much effort. That said, discovering a vulnerability in these plugins, and especially one that is very easy to exploit is hugely important.
Malcare discovered that hackers could gain admin access to any website that had the above plugins installed, potentially gaining full control of the target. The discovery took place on December 11, 2019, and a patch was released immediately, within a couple of hours. That said, the latest versions that are safe to use are Ultimate Addons for Beaver Builder 184.108.40.206 and Ultimate Addons for Elementor 1.20.1. If you are using an earlier version, you should upgrade to the latest immediately, as crooks will be actively searching for flawed websites now that the vulnerability has been disclosed.
For the attack to work, the hacker will need to know the email ID of the administrator of the target WordPress website. This is not that hard to source, as even hosting service providers often publicly list this type of detail. As we’re only three days after the release of the fixing patch, there is still a large number of websites that haven’t updated their Ultimate Addons plugins yet, so the details of how the exploit works cannot be disclosed just yet. The risks are great and involve the stealing of data, redirections to phishing websites, or even the conscription of the target website to launch large-scale attacks.
For those who have trouble applying the update from the wp-admin dashboard (an update alert should be flashing there already), you should proceed to manual patching immediately. To do this, you should deactivate and delete the previous version of the plugin which comes at no risk of losing any data. Then, download the latest version from Brainstorm Force’s website and perform a clean installation. This is another example that shows why keeping your WordPress installation and all of the plugins that you are using updated is so important. Also, limiting the use of WordPress plugins only to those that you absolutely need, minimizes the chances of being vulnerable to hacker attacks in general.