WordPress 插件 Elementor Pro 漏洞 安全通知
发布人 Miles R 发表于 20 May 2020 02:04 PM

尊敬的 hostgator 用户:

我们在WordPress插件 Elementor Pro插件中发现了一个漏洞(远程代码执行(RCE)攻击),该漏洞可能允许使用者远程执行代码。
WordPress是使用PHP实现的基于Web的发布应用程序,而Elementor Pro 插件允许网站设计人员使用和创建者使用自定义主题和窗口小部件来创建网页。使用者可能利用此漏洞来远程执行代码。
黑客正在活跃的利用Elementor Pro和Ultimate Addons的Elementor WordPress中的两个安全漏洞,最终目的是远程执行任意代码并完全破坏未更新插件的网站。

2.9.4版本之前Elementor Pro插件

1)成功利用此安全漏洞的攻击者可以安装后门或Web Shell来维护对受感染站点的访问,获得完全管理员访问权限以完全破坏它,甚至清除整个网站。
2)如果他们无法注册为用户,则可以利用第二个漏洞来影响Ultimate插件的Elementor WordPress插件(已安装在110,000多个网站上),这将使他们可以在运行该插件的任何站点上注册成为用户,即使用户注册功能被禁用。
3)然后他们继续使用新注册的帐户来利用Elementor Pro漏洞并实现远程代码执行

2)将Elementor Pro更新到2.9.4或更高版本,此版本修复了远程执行代码漏洞。
3)对于Elementor的Ultimate Addons,用户应升级到1.24.2或更高版本。





Dear Customer,

A vulnerability (Remote Code Execution (RCE) attack) has been discovered in the Elementor Pro Plugin that could allow for remote code execution. WordPress is a web-based publishing application implemented in PHP, and the Elementor Pro Plugin allows website designers and creators to create webpages using custom themes and widgets. Successful exploitation of this vulnerability could allow for remote code execution.

Hackers are actively exploiting two security vulnerabilities in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins with the end goal of remotely executing arbitrary code and fully compromising unpatched targets.

Plugin Affected:
Elementor Pro plugin prior to 2.9.4

The Exploit:
1) The attackers who successfully exploit this security flaw can then install backdoors or web shells to maintain access to the compromised sites, gain full admin access to fully compromise it, or even wipe the entire site.
2) If they can't register as users, they can exploit the second vulnerability affecting the Ultimate Addons for Elementor WordPress plugin (installed on over 110,000 sites) which will allow them to register as subscriber-level users on any site running the plugin even if user registration is disabled.
3) Then they proceed to use the newly registered accounts to exploit the Elementor Pro vulnerability and achieve remote code execution.

What should be done:
1) Apply appropriate updates provided by Elementor manually to affected systems, immediately after appropriate testing.
2) Update Elementor Pro to version 2.9.4 or above which fixes the remote code execution vulnerability.
3) For Ultimate Addons for Elementor, users should upgrade to version 1.24.2 or later.
4) Verify no unauthorized system modifications have occurred on the system before applying the patch.

For more details, refer the links given below:

Please contact our support team if you have any questions.

相关评论 (0)