Menu

Threat Advisory

Elementor Plugin vulnerable to Remote Code Execution

February 4, 2022 | By Accorian

WordPress is the most widely used CMS and also the most infamous one. When it comes to being secure, it is only as secure as any other similar platform, depending on how it is configured and maintained. All software, tools, and platforms must be updated and patched in a timely fashion to maintain security.

A critical security issue, Local File Inclusion (LFI) was identified in the WordPress plugin – Essential Addons for Elementor v5.0.4 and below. LFI attack allows an attacker to include local files on the file system. This could be used to exfiltrate sensitive data or even lead to code execution attacks where an attacker will include a file with malicious code and execute it with the help of this flaw.

It was observed that the vulnerability exists only if the widgets – Dynamic gallery and product Gallery are used. This can be exploited due to how the user input is used inside PHP’s include function in the ajax load more and ajax_eael_product_gallery functions. 

It has been confirmed that the vulnerability has now been completely fixed in version 5.0.5 of Essential Addons for Elementor while the previous 2 fixes remained flawed and incomplete.

Accorian can help you

  • Identify this and any such security issue that your website may be vulnerable to
  • Identify all vulnerable plugins and components that are being used
  • Fix the identified vulnerabilities with appropriate fixes and patches

Recommendation

It is advised that:

  • All plugins, components, software, and tools are updated regularly as patches and fixes are released. 
  • Test the patches on a UAT before applying them on production setup to ensure the patch does not break your application or service.
  • All user input is being validated and the application does not trust any user input.
  • Nulled plugins and themes are never used.
  • A WordPress WAF (Web Application Firewall) be used to protect the application.
  • It would be ideal to carry out a quick vulnerability scan to understand on a high-level the vulnerable plugins that are being used and the possible damage that they could cause. Subsequently, carry out complete application penetration tests which will help identify all the security flaws in the application, and upon remediation, the exercise will strengthen the security posture.

We are here if you need us. You can reach out to me on my email, and if you would like to schedule a call with me, here’s my availability (Schedule a meeting with me)

Recent Post

Article

THREAT ADVISORY – RANSOMWARE CAMPAIGN TARGETING AMAZON S3 BUCKETS

Description A ransomware campaign conducted by the Codefinger group is actively targeting Amazon S3 buckets. Halcyon’s research highlights that the attacks utilize AWS Server-Side Encryption with customer-provided keys (SSE-C) to encrypt data. The attackers then demand ransom payments for the symmetric AES-256 keys required for decryption. Recovery is impossible without the key, as AWS's secure encryption infrastructure does not store it. Threat actors exploit compromised AWS credentials to execute s3: GetObject and s3: PutObject requests. They initiate encryption using the x-amz-server-side-encryption-customer-algorithm header, relying on an AES-256 encryption key generated and stored locally. Additionally, files are marked for deletion within seven days using the S3 Object Lifecycle Management API. Impact Data encrypted using SSE-C cannot be recovered without the attackers’ decryption keys. Compromised credentials enable attackers to gain access, encrypt data, and render it inaccessible. AWS CloudTrail only logs an HMAC for the encryption process, which is insufficient for key reconstruction or data recovery. Recommendations To mitigate the risk, organizations using Amazon S3 buckets should: 1. Secure AWS Accounts: Implement strict security protocols following AWS best practices. Restrict SSE-C usage by configuring the IAM policy condition element. 2. Review AWS Permissions: Limit access to minimum required levels and frequently rotate active keys. Disable unused keys. 3. Enable Detailed Logging: Monitor S3 operations for suspicious activities such as bulk encryption or policy changes. References New Amazon Ransomware Attack— ‘Recovery Impossible’ Without Payment For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link. Threat Advisory Team Accorian

View More

Article

THREAT ADVISORY - DOOMSDAY CRITICAL LINUX BUG

Description A severe vulnerability, CVE-2024-47176, has been discovered in the Common UNIX Printing System (CUPS). It was made public on September 26, 2024, and affects Linux systems with cups-browsed enabled. This vulnerability requires the victim to start a print job, and if your cups-browsed is enabled, it could make him vulnerable to attacks that could lead to their computer being commandeered over the network or internet. Impact Attackers can exploit this vulnerability to hijack devices on networks, potentially gaining control over systems. While successful exploitation requires user interaction (the initiation of a print job), the risks remain significant, especially for systems that expose CUPS to public networks. Affected Versions CUPS is bundled with various Linux distributions, and the vulnerability affects: Most Linux distributions with CUPS and cups-browsed enabled Some BSD systems Potentially Google ChromeOS, Oracle's Solaris, and other distributions Remediation To mitigate the risk associated with this vulnerability, it is recommended to: Disable or remove the cups-browsed service to prevent exposure. Block access to UDP port 631 on firewalls to limit external access. Update CUPS when security patches become available. Consider removing CUPS entirely if it is not needed for printing tasks. Source - https://www.theregister.com/2024/09/26/unauthenticated_rce_bug_linux/ If you would like our advice or assistance in the matter, feel free to contact us to schedule a scan and discuss your specific security requirements. Kindly reach us at info@accorian.com or click through our Calendly link here to schedule an appointment at your convenient time Calendly Link. Threat Advisory Team Accorian

View More

Article

Manufacturing Sector Vulnerable to RCE Flaw

Description PTC, a leading software provider for critical manufacturing organizations, has recently addressed an RCE flaw tracked as CVE-2024-6071. The vulnerability, rated CVSS 10, exists in the PTC Creo Elements/Direct license server. It enables unauthorized remote command execution and lateral movement within critical manufacturing and industrial organizations, including Volvo, Lufthansa, Medtronic, HP, Merck, and GE. Impact The flaw impacted the license server of Creo Elements/Direct, a direct modeling CAD software used for creating 3D designs. Although PTC claims the flaw has not been exploited, its severity prompted immediate patching. Exploitation requires network access, as the license server is typically not exposed to the internet. Affected Versions Thomas Riedmaier discovered a vulnerability in the Creo Elements/Direct license server: Versions 20.7.0.0 and earlier Remediation Apply PTC's patch for Creo Elements/Direct. Confirm that the license server is not exposed to the internet. Limit access to authorized personnel. Isolate license servers from critical systems. Monitor logs for unusual activities. Perform vulnerability scans and penetration tests. Include CVE-2024-6071 in the incident response plan. Stay updated with PTC for new patches or information. Verify security standards meet industry standards and regulations. Source: https://www.databreachtoday.com/patched-rce-flaw-that-affects-critical-manufacturing-a-25699?rf=2024-07-04_ENEWS_SUB_DBT__Slot8_ART25699&mkt_tok=MDUxLVpYSS0yMzcAAAGUHWCLsDa8Alxx89nmcsSkjc0bON4Bwse5npVDdr3B95f5QKt3z4jov6Sh9a9st3fsPv5nXDXDKzV_xxTJ6PXLupMU0TxzCH1TswlToT_AzdymozuPuw   Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us at info@accorian.com

View More

Article

Remote Code Execution Vulnerability CVE-2024-6387 in glibc-based Linux Systems

Description The Qualys Threat Research Unit issued an advisory for CVE-2024-6387 on July 1 regarding a vulnerability affecting glibc-based Linux systems that allow unauthenticated remote code execution known as “regreSSHion.” It is a regression of CVE-2006-5051, reintroduced with OpenSSH version 8.5p1. While exploitation is challenging, it can have severe impacts. Lab tests show it requires about 10,000 attempts over 6-8 hours against 32-bit hosts, with 64-bit hosts theoretically at risk but not publicly proven. Impact This vulnerability may allow attackers to escalate privileges fully if a client fails to authenticate within 120 seconds (600 seconds for legacy OpenSSH versions). Exploiting the regeSSHion vulnerability could enable attackers to: ●       Fully compromise a susceptible host ●       Exfiltrate sensitive data ●       Propagate laterally within the network to internal hosts ●       Encrypt and hold critical data for ransom Affected Versions ●       OpenSSH versions before 4.4p1 ●       OpenSSH versions between 8.5p1 and 9.7p1 Previous patches for CVE-2006-5051 and CVE-2008-4109 have resolved the flaw. OpenBSD systems are unaffected. OpenSSH versions in Red Hat Enterprise Linux 6, 7, and 8 are not vulnerable, as the regression was introduced in OpenSSH 8.5p1, which postdates these versions. Remediation To deal with this menace, ensure timely upgrades of OpenSSH upon patch availability. Set LoginGraceTime to 0, acknowledging the potential risk of denial of service if simultaneous connections exceed MaxStartups. Restrict SSH access to internet-exposed hosts and implement network segmentation to curtail lateral movement effectively. Source: https://www.lacework.com/blog/critical-rce-vulnerability-on-open-ssh-detecting-and-mitigating-cve-2024-6387-regre-ss-hion  

View More

Article

Snowflake Customers Hit With ‘Significant’ Data Theft In Attacks: Mandiant

Description Mandiant researchers have identified a recent breach of the Snowflake Cloud Data Platform by the Uncategorized Threat Actor Group (UNC5537) that could potentially expose approximately 165 organizations. The data theft, which occurred in mid-April 2024, appears to have exploited Snowflake's stolen customer credentials obtained through infostealer malware campaigns on non-Snowflake systems. Impact The absence of multi-factor authentication (MFA) on the affected accounts facilitated the breach. Notable organizations affected include Ticketmaster, Santander Bank, and Advance Auto Parts. Over 100 customers were confirmed as impacted. Remediation ● Add an extra layer of security by enabling MFA for all accounts. ● Strengthen Password Policies by implementing long, complex passwords and changing them regularly. ● Regularly audit and monitor accounts for suspicious activity. ● Enforce secure configurations and keep systems updated with patches. ● Conduct frequent security assessments and penetration testing. Source: https://www.crn.com/news/security/2024/snowflake-customers-hit-with-significant-data-theft-in-attacks-mandiant?itc=refresh Contact us to schedule a scan and discuss your specific security needs. For any further assistance, kindly reach out to us at info@accorian.com

View More

Ready to Start?

Security Compliance & Assessment Services

CONSULTING & ASSESSMENT SERVICES

PENETRATION TESTINGRed TEAM ASSESSMENTS
TECHNOLOGY STAFFING

Contact Info

E. info@accorian.com

T. +1-732-443-3468

Contact With Us

Office Address

Accorian Head Office

6,Alvin Ct, East Brunswick, NJ 08816 USA

Accorian Canada

Toronto

Accorian India

Ground Floor,11, Brigade Terraces, Cambridge Rd, Halasuru, Udani Layout, Bengaluru, Karnataka 560008, India

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide