CVE-2023-5360: WordPress Plugin Zero-Day Affects 200k Sites

On October 13, 2023, the Wordfence Threat Intelligence team warned that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the Royal Elementor Addons and Templates plugin.

Royal Elementor Addons and Templates is a popular WordPress plugin that adds a suite of new widgets and templates to the Elementor page builder. It has over 200,000 active installations.

CVE-2023-5360

Identified as CVE-2023-5360 and holding a CVSS score of 9.8, the flaw makes it possible for anonymous attackers to upload arbitrary files to susceptible sites. This effectively means that malefactors can upload PHP files imbued with malicious content, opening the door for remote code execution and total site compromise.

The Wordfence Threat Intelligence team has blocked over 46,169 attacks targeting this vulnerability in the past 30 days. They have also found evidence that the exploit was being actively developed as early as July 27, 2023.

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.3.78. The CVE-2023-5360 vulnerability is due to insufficient file type validation in the handle_file_upload() function called via AJAX.

The good news is that the Royal Elementor Addons and Templates team has released a patch for this vulnerability. The latest patched version of the plugin is 1.3.79.

If you are using the Royal Elementor Addons and Templates plugin, you should update to the latest version immediately. You should also scan your site for any malicious files that may have been uploaded.

Indicators of Compromise

A majority of the attacks appear to be coming from just the following three IP Addresses:

  • 65.21.22.78 with 33,255 attacks blocked.
  • 2a01:4f9:3080:4eea::2 with 12,289 attacks blocked.
  • 135.181.181.50 with 206 attacks blocked.

Additionally, the presence of files named b1ack.p$hp or wp.ph$p on your server should raise alarm bells. The former allows for additional PHP file placement, while the latter introduces a malevolent administrator.

The silver lining? Wordfence has been ahead of the curve with a detection signature for b1ack.p$hp since December 2019, and a signature for wp.ph$p is in the pipeline.

What You Can Do

If you are using the Royal Elementor Addons and Templates plugin, you should update to the latest version immediately. You should also scan your site for any malicious files that may have been uploaded.

Here are some additional tips to help protect your WordPress site from zero-day vulnerabilities:

  • Use a strong password for your WordPress admin account and enable two-factor authentication.
  • Keep your WordPress core files and plugins up to date.
  • Use a security plugin like Wordfence or Sucuri to scan your site for malware and vulnerabilities.
  • Back up your site regularly so that you can restore it if it is compromised.