Managed Services Australia Logo - Different Size

Two WordPress plugins that allows hackers to gain administrative access.

cyberduck

December 16, 2019

An alarming security issue has recently emerged for users of two popular WordPress plugins developed by Brainstorm Force: Ultimate Addons for Beaver Builder and Ultimate Addons for Elementor. Security firms have identified a significant vulnerability that can give hackers admin-level access to WordPress sites using these plugins.

What Went Wrong?

  1. The Plugins: Both plugins, which facilitate advanced design functionalities for WordPress websites, contain a vulnerability classified as an authentication bypass bug.
  2. The Issue: MalCare, a renowned security firm, highlighted that this loophole allows attackers to gain full control of a WordPress site using the affected plugins.
  3. Quick Action: Upon discovery, Brainstorm Force was swift in its response, rolling out fixes within seven hours for both plugins. It’s crucial for users to update to the patched versions immediately: Ultimate Addons for Beaver Builder (version 1.2.4.1) and Ultimate Addons for Elementor (version 1.20.1).

Exploitation in the Wild

WebARX’s research team found active exploitation attempts on sites using the vulnerable Elementor plugin. The modus operandi involved hackers uploading a file (tmp.zip) that introduces a pseudo SEO stats plugin, which subsequently adds a backdoor to the affected site’s root directory.

The Backbone of Your Business

How Does The Exploit Work?

The vulnerability hinges on the email address of a site’s admin user. With this email address and the affected plugin active, hackers can simply log into WordPress with admin rights. WebARX explains that the weak link lies in the plugin’s feature that offers login options via username/password, Facebook, and Google. The authentication tokens from Facebook and Google weren’t being validated, leading to this critical lapse.

Brainstorm Force Responds

Though the potential number of affected customers remains unknown, Brainstorm Force has actively addressed the issue. The company has not only released an update patching the vulnerability but has also assured users that updating the plugin is a straightforward process.

Takeaway for WordPress Users

This incident underscores the importance of regularly updating plugins and keeping abreast of security advisories. For those using either of the Brainstorm Force plugins, immediate updating is crucial.

For a comprehensive understanding of cyber solutions tailored for businesses, explore the Cybersecurity solutions we offer for businesses.

Looking for technology products? Dive into our Technology Centre and enhance your tech arsenal today!

Ready to fortify your business connectivity? Ring us at 📞 1300 024 748 or drop a line through our contact form. Your uninterrupted operations are just a call away.

Book a consultation with Managed Services Australia.

Start your journey towards seamless IT solutions with us today – unlock your business’s true potential!