Published
Updated

Security threat monitoring is a part of our upkeep service. Sometimes the monitoring reveals severe 0-day security vulnerabilities, which means vulnerabilities that have no security update available. On Saturday 6th of March a severe 0-day like this was noticed. As a first step all affected sites in our upkeep were secured by removing the vulnerable plugin and cleaning the site from possible malicious content. Seravo’s customers didn’t need to take any action.

No security update available

On Saturday March 6th our security threat monitoring noticed some unusual activity and it was soon identified to be a 0-day vulnerability in The Plus Addons for Elementor Page Builder plugin (CVE-2021-24175). It became quickly clear that the latest version at the time (4.1.5) was vulnerable meaning there was no security update available.

The vulnerability allows using the site with any user’s permissions (including admin users) without a password. Digging the logs this was discovered as a POST query:

POST /wp-admin/admin-ajax.php

This is a severe vulnerability because it allows the attacker to do whatever they want – steal or destroy data, use the site to attack other sites or attack the infrastructure. We noticed that an attacker had uploaded malicious content to be executed:

GET /wp-admin/plugin-install.php 
POST /wp-admin/update.php?action=upload-plugin

Preventing vulnerability exploits is a part of our development goals. This time Seravo’s environment was able to block by default the malware execution the attacker tried to do on breached sites. The uploaded malicious content did not cause harm to Seravo’s customers.

Current status

As a part of our security threat handling the plugin developers were contacted already on March 6th. We also contacted WPScan WordPress Vulnerability Database and Finnish National Cyber Security Centre so that all WordPress users could know about the vulnerability as soon as possible.

Eventually a fix for the vulnerability was released with plugin version 4.1.7 on March 9th.

Proof-of-concept code and more details will be released later when it’s responsible to do so and fix for this vulnerability is available.

Security advice to WordPress site owners

If you own a website online, WordPress or not, you need to take security seriously. Even if you don’t think your own site has anything important, an attacker could use it to mount attacks on other websites and you could be held partly liable.

The basic security advice has been the same for many years:

  • Make regular updates, and security updates quickly. Prefer a hosting and upkeep partner that does this on your behalf, such as Seravo.
  • Make backups, automatically, every day. Whatever misfortune your site might have, backups often save the day as it allows one to restore a clean and functional version of the site. Seravo’s upkeep always include automatic pull-style backups that don’t even depend on WordPress to function.
  • Use some kind of monitoring service to detect if the site goes down so it can be quickly brought up again. There are many cheap online services out there that offer monitoring and email alerts as a separate service. Seravo goes a step further: our service includes 24/7 monitoring and also the response. We take upkeep seriously.
  • Follow good password hygiene so that they are not too easy to guess and that passwords leaked from other sites cannot be re-used to gain entry on your WordPress site.
  • Use HTTPS. It should be standard in 2020, but still not everybody uses. Any security protection is nullified if the login credentials can be eavesdropped over the network. By choosing a good service provider the use of HTTPS will be included without any additional price and on by default. Good WordPress providers usually also offer many other additional security features.

We often hear about WordPress site owners that try to solve security by installing yet another plugin. We don’t believe in this, as we often have seen that plugins are the cause of WordPress security issues, not the solution. This we repeat over and over in our WordPress 101 presentation. We advice WordPress site owners to review and remove all unnecessary WordPress plugins to decrease the so called attack surface of their site.

How to clean up after a breach?

Any site could have a security breach at any time, so it is good to have a recovery plan. Check out the following presentation on how to investigate and clean up a security breach:

Read more

https://wptavern.com/attackers-continue-to-exploit-vulnerabilities-in-the-plus-addons-for-elementor-plugin

https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/