New security flaw leaves 300,000 WordPress websites vulnerable to exploitation

The new vulnerability, assigned the identifier CVE-2023-39157, with a CVSS hazard score of 9.0, is a serious risk for WordPress-based websites.

According to securityonline , a critical vulnerability has been discovered in JetElements For Elementor on the WordPress platform that allows an attacker to execute arbitrary code on the target website. JetElements is a highly rated add-on for Elementor that offers over 40 widgets for flexible website content creation and management. Plugin users can add different content blocks using the JetElements function.

The popularity of the WordPress platform has also attracted many developers to write plugins to serve the needs of bloggers and even businesses. With an active user base of about 300,000 websites, the popularity of the plugin also means that there is a high chance of damage when a vulnerability occurs.

The RCE vulnerability allows a website member with a minimum role of “Contributor” to perform arbitrary PHP function executions, leading to a powerful code execution attack.

The researcher from Patchstack discovered this bug. According to security experts, vulnerability CVE-2023-39157 will help attackers run commands, set up backdoors and eventually take full control of the target website.

According to the analysis, the vulnerability exists in a plugin’s render_meta function, allowing an attacker to install a PHP system or function to reset the key. To activate, the privileged user must publish a draft post, which in turn activates the mining code.

Currently, vulnerability CVE-2023-39157 has been addressed in JetElements for Elementor version 2.6.11. Users should update to the latest version of the plugin as soon as possible, and use security plugins for WordPress to scan for errors on their website, implement strong passwords and two-factor authentication, and backup regularly. often.

Related posts

New zero-day vulnerability is threatening all versions of Windows

Hackers claim to ‘take down’ Microsoft’s Windows and Office activation system

Apple was accused of illegally monitoring employees right at home