New WordPress plug-in vulnerability impacts over 1 million websites. Last week a vulnerability in the WordPress plug-in Essential Addons for Elementor was reported on. The National Institute of Standards and Technology, NIST, has added it to their National Vulnerability Database and is awaiting its risk score. This vulnerability is a privilege escalation, which means it allows the cyberattacker to gain access to your website and access at the highest levels.
NIST provides a description of this WordPress plug-in vulnerability, “Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.”
Fortunately the developer of this WordPress plug-in, WPDeveloper, has already released an update that addresses this vulnerability.
Using plug-ins for your website is a great way to make creating and editing your website easier. Plug-ins are custom modules you can integrate into your website for enhanced features, design, and security. This also means they can be given quite a bit of access to your website, making them attractive targets for cybercriminals. Instead of trying to attack your website directly, the cyberattacker will focus on plug-ins as this gives them more possible websites to gain unauthorized access.
What you need to do
The first step is to identify what kind of website you use and identify all of your plug-ins. If you are using WordPress and this particular plug-in you will need to update to their latest release. Knowing your site and the integrations used is important, just like knowing your business data. This allows you to have a better grasp of where your risks might be.
The next step is identifying if your site plug-ins require any updates. Just like software on your computer or apps on your phone, plug-ins need regular updates. Some plug-ins will update in the background out of your control while others can have automatic updates enabled. In many cases though, you will need to update them manually. So it is important to make an update schedule. This allows you to follow a set schedule to check for updates and make updates as they become available.
Websites are one of the most used tools to communicate with customers and potential customers. Cybercriminals see websites as a gateway to data, financial accounts, and direct access to your business networks. Let’s update our plug-ins, update our websites, and keep our small businesses secure!
For more information on small business cybersecurity resources, check out Small Business, Big Threat!