Vulnerabilities in multiple WordPress plugins was discovered by security researchers which when successfully exploited, could allow an attacker to run arbitrary code and take over a website.
The flaws were found in Elementor, a website builder plugin which is used in more than seven million sites, and WP Super Cache, a tool used to serve cached pages of a WordPress site.
The security flaws in Elementor were discovered by researchers at Wordfence who stated that the bug concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occurs when a malicious script is injected directly into a vulnerable web application.
As the flaws take advantage of the fact that dynamic data entered in a template could be leveraged to include malicious scripts intended to launch XSS attacks, such behavior can be prevented by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.
Another flaw that was discovered in WP Super Cache, which is used by more than two million WordPress sites was an authenticated remote code execution (RCE) vulnerability that could permit an opponent to upload and execute malicious code with the intend of gaining control of the site.
Elementor fixed the issues in version 3.1.4 released on March 8 by hardening “allowed options in the editor to enforce better security policies.” Similarly, Automattic, the developer behind WP Super Cache, addressed the “authenticated RCE in the settings page” in version 1.7.2.
All the users are highly recommended to update to the latest versions to reduce the risk associated with the flaws.