PSA: Critical Unauthenticated Arbitrary File Upload Vulnerability in Royal Elementor Addons and Templates Being Actively Exploited
Today, on October 13, 2023, the Wordfence Threat Intelligence Team became aware of a vulnerability that was recently patched in Royal Elementor Addons and Templates, a WordPress plugin installed on over 200,000 sites, that makes it possible for unauthenticated attackers to upload arbitrary files to vulnerable sites.
This allows unauthenticated attackers to upload PHP files containing malicious content, such as a backdoor, that makes remote code execution possible and leads to a complete compromise of the site. We have blocked over 46,169 attacks targeting this vulnerability in the past 30 days, and reviewing our data revealed that attacks started on or around August 30th, 2023, though we also have evidence that the exploit was being actively developed as early as July 27, 2023.
All Wordfence users running Premium, Care, or Response, as well as those still running the free version of the Wordfence plugin, are protected by the Wordfence firewall’s built in malicious file upload protection. However, we still strongly encourage users to ensure their sites are updated to the latest patched version of the plugin which is 1.3.79 due to the fact that this vulnerability is being actively exploited.
This vulnerability was originally discovered by Fioravante Souza from WPScan, and you can find all applicable references in the Wordfence Intelligence Database.
Description: Royal Elementor Addons and Templates