Critical vulnerabilities have been found in popular WordPress plugins, "Ultimate Addons for Elementor" and "Ultimate Addons for Beaver Builder". Developed by Brainstorm Force team, the Ultimate Addons plugins allow WordPress site owners to use additional widgets/functionality to popular page builders such as Elementor and Beaver Builder.
UABB is a core piece of kit in our website development stack and provides a lot of useful add-ons that are missed within the core installation of Beaver Builder.
This is a major” vulnerability that could allow hackers to gain administrative access to any website using the plugins. It has been patched since its discovery on Wednesday, and at the time of writing, ALL of 33Technologies managed customers have had this patch applied and are currently safe from the vulnerability.
What happened?
There were some vulnerabilities in the Google and Facebook login functionality under the 'Login Form' Widget, which contained broken auth and session management code. This allows hackers to log in to the Admin area without a password. By leveraging other methods of gathering information, it's possible to find the admin username, exploit it and gain access to the system as an administrator.
Once admin access is obtained, the hacker would receive powers & controls to further exploit the website in numerous ways. The nastiest of which remains defacement, redirection, spam, data theft (identity theft + financial data theft), malicious pop-ups, database access etc.
How can I confirm I am hacked?
You can tell you are hacked if you see any of the following:
- New Admin users created in your WordPress admin area
- Your website is redirecting to malicious sites
- Spam/Phishing emails being sent from your server
- Malicious Pop-ups when visitors open your website
- Website visitors are shown a red warning page by Google
What can I do?
If you're a 33Technologies customer - Nothing, we've got you covered. If you maintain your own WordPress and you've got this plugin, then you need to update it immediately.
- Update the vulnerable plugins, WordPress core, other plugins
- Audit your website admins and see if any new admin accounts are added. Once hackers have gotten admin access, they may create new admin users to retain access to the site after the vulnerability has been fixed.
- Login to your server via FTP/SFTP or the File Manager module in cPanel, and check for unknown file names in the root of the site. The following files have been found in the exploited websites: tmp.zip, wp-xmlrpc.php, adminer.php
How do I do it?
Update the Ultimate Addons for Elementor
To update the Ultimate Addons for Elementor (or UAE as they say it), follow these steps:
- Download the latest version from here.
- Delete the previously installed version. Don't worry no data will be lost.
- Upload the zip file you downloaded from above as a new plugin in your WP-admin
- Install and activate.
Update the Ultimate Addons for Beaver Builder
To update the Ultimate Addons for Beaver Builder (or UABB as they say it), follow these steps:
- Download the latest version from here.
- Delete the previously installed version. Don't worry no data will be lost.
- Upload the zip file you downloaded from above as a new plugin in your WP-admin
- Install and activate.
If you're needing assistance getting this plugin updated, please don't hesitate to get in contact with us: support@33technologies.com.au
