April 2022 WordPress Security News

The biggest headline this month is a severe vulnerability in the Elementor website builder. This vulnerability allowed any site user to deface your site or install malicious plugins. Other plugin vulnerabilities include SiteGround’s security app and a spam protection plugin.

I’ve also included a notice about a pretty severe Windows vulnerability. If you’re responsible for any Windows machines, make sure you apply the most recent security updates immediately.

Booking Calendar by wpdevelop and oplugins

This plugin has a “modest” 60,000 installations. This gives the capability for a site owner to add a booking system that can let site visitors check availability, make reservations, and manually import/export those bookings to other calendar services (Google Calndar, iCal, etc.).

A vulnerability in the way the plugin handled viewing preferences could have allowed malicious actors with low (or no) permissions to perform certain administrator-level actions on the site. These actions include deleting files, executing arbitrary code, and even site takeover.

The good news is that the “attack chain” for this plugin was relatively complex. It also depended on a site having other exploitable plugins installed. However, given the number of plugins with unpatched vulnerabilities, this is not beyond the realm of possibilities.

If you’re running a site with the Booking Calendar plugin, make sure you’re updated to at least the version shown below.

Spam Protection, AntiSpam Firewall by CleanTalk

This is a popular plugin with around 100,000 installs. It attempts to stop spam on a variety of WordPress form fields (such as comments, contact, and registration fields).

Earlier this year, WordFence discovered two separate cross-site scripting vulnerabilities in the plugin. Either of these vulnerabilities could lead to a malicious takeover of a site. All that was required was for an attacker to trick an administrator into performing a specific action. This action could be benign, like clicking a specially-crafted link or button.

To protect yourself from these attacks, make sure you’re using at least the version indicated below.

SiteGround Security by SiteGround

With around 400,000 active installations, this plugin is even more popular than the CleanTalk plugin. This plugin comes pre-installed on WordPress sites running on SiteGround hosting. It contains several features designed to increase the security of these WordPress sites.

One such feature is two-factor authentication(2FA). Unfortunately, 2FA was implemented insecurely in this plugin. This mistake made it possible for attackers to gain access to administrator accounts and take over a site. A more complete write-up is available on WordFence, but the vulnerable period is after activating 2FA, but before it is set up for a user.

During this period, it was possible for an attacker to bypass the username/password login, and set up the 2FA to use a device of the attacker’s choosing. This would not only allow the attacker to log in as the user, but it would also prevent the real account owner from logging in.

This is a pretty severe vulnerability, and as such, an update was automatically applied by SiteGround. If you have this plugin installed on your site, check that it is at least the version indicated below. You should also verify that all admins with 2FA can log in.

Elementor Plugin

First things first – yes, this is the Elementor plugin. This is a massively popular page builder plugin that is in use on over 5 million sites.

The vulnerability in this plugin allowed any logged-in use to upload and install plugins or themes or simply deface the site. This upload ability was available for any user, regardless of their permission settings.

Luckily, there are few details that reduce the overall impact of this security flaw. The first is that this vulnerability was only introduced on the latest point update (3.6.0), which was released on March 22, 2022. This means that sites that had not updated to this version were not affected. Since the patched version (3.6.3) was released less than one month later (April 12, 2022), the overall number of sites that were impacted is quite a bit lower than the 5+ million total Elementor installs.

However, due to the severe nature of the vulnerability and the widespread use of Elementor, make sure any sites you are running are patched to the secure version.

Windows Remote Code Execution

A recently-discovered vulnerability in Windows’ “Remote Procedure Call” runtime is attracting a lot of attention. While this vulnerability was patched this month, there are still a lot of systems that have not applied this patch.

A quick look at Microsoft’s page describing this vulnerability gives a few clues as to the severity of this discovery.

  • Attack Vector: Network (The attack will come from the internet – no physical access required)
  • Attack Complexity: Low (The attack is easy to perform)
  • Privileges Required: None (You don’t have to be logged in)
  • User Interaction: None (This is the big one – you can be exploited with zero user interaction. No need to click a bad link or download a virus)

This vulnerability affects many versions of Windows, including Windows 11, Windows 10, Windows 8, Windows 7, and Windows Server (2022-2008 versions).

While the specifics of the attack are beyond me, if you’re curious, you can watch a 7-minute video on how an attacker can (and will) reverse-engineer the patch to find the vulnerability.

Want to see more WordPress security news? You can find past entries here.