Critical vulnerabilities have been found in popular WordPress plugins, “Ultimate Addons for Elementor” and “Ultimate Addons for Beaver Builder”. Developed by Brainstorm Force team, the Ultimate Addons plugins allow WordPress site owners to use additional widgets/functionality to popular page builders such as Elementor and Beaver Builder.
Ultimate Addons released an advisory on its websites regarding the patch of the vulnerability, asking its users to update the plugins. To shed more light on the issue, we dug out vulnerability details which allowed the hack.
The Brainstorm Force team should be applauded for their agility in patching the vulnerability in less than 7 hours!
The patched versions are:
If you have the plugins installed, with an older version than mentioned above, please immediately update the plugins.
The Ultimate Addons plugins are actively installed on thousands of sites. Moreover, given the nature of the vulnerability, the hacker can access absolutely any WordPress site with the plugin installed, if they have access to any user’s email ID.
We urge you to update immediately.
Vulnerability Under Microscope
The Google and Facebook login feature under the ‘Login Form’ widget, contained the broken authentication and session management vulnerability. The vulnerability allows hackers to login without a password to the WordPress Admin area of any user, if they know the email address of the users. Using this method, it is also possible to login to the accounts of administrators in WordPress.
By leveraging other information gathering techniques, it is possible to find out the email address of the administrator, and exploit this vulnerability.
Related Guide – WordPress Hack Removal
Once admin access is obtained, the hacker would receive powers & controls to further exploit the website in numerous ways. The nastiest of which remains defacement, redirection, spam, data theft (identity theft + financial data theft), malicious pop-ups, database access etc.
Technical Details of the hack
Due to weak validations in the the Google and Facebook login modules, hackers are able to exploit the wp-admin AJAX function used by the Ultimate Addons plugins.
For sites using the social login module, the attacker can tamper/modify the email ID being sent as a response to the AJAX function, after successfully authorizing the login via Google/Facebook. The plugin captures the email id of the user, and performs a login without verifying the authenticity of the data sent by Google/Facebook. The code verifies the AJAX call by checking the nonce token set by WordPress (similar to a CSRF token), unfortunately it is not sufficient to determine if the Google and Facebook APIs returned the same email id.
As you can see in the screenshot below, the POST data is directly used to login the user without validation. It would be recommended to verify the authenticity of the data provided by the Google and Facebook OAuth, by making a verification API call to their service.
If you use Google Sign-In with an app or site that communicates with a backend server, you might need to identify the currently signed-in user on the server. To do so securely, after a user successfully signs in, send the user’s ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and use the user information contained in the token to establish a session or create a new account.
More details: https://developers.google.com/identity/sign-in/web/backend-auth
Are you hacked? Get Immediate Help
If you have already been hacked, you can quickly restore your site with the immediate malware cleanup by Astra. If you’re already an Astra customer, our virtual patching technology would protect you from such vulnerabilities.
How can I confirm I am hacked?
You can tell you are hacked if you see any of the following:
- New Admin users created in your WordPress admin area
- Your website is redirecting to malicious sites
- Spam/Phishing emails being sent from your server
- Malicious Pop-ups when visitors open your website
- Website visitors are shown a red warning page by Google
If you are noticing any symptoms not listed above, you can refer to the complete list of hacking signs.
What you can do?
If you are the regular maintainer of your WordPress website, and would like to attempt to fix the hack & secure it from re-occurring, you should:
- Update the vulnerable plugins, WordPress core, other plugins
- Audit your website admins and see if any new admin accounts are added. Once hackers have gotten admin access, they may create new admin users to retain access to the site after the vulnerability has been fixed.
- Login to your server via FTP/SFTP or the File Manager module in cPanel, and check for unknown file names in the root of the site. The following files have been found in the exploited websites: tmp.zip, wp-xmlrpc.php, adminer.php
- Enable Two-factor authentication (2FA) for your WordPress admin area
- Enable IP restrictions on the wp-admin area, so that only whitelisted IPs can access the panels.
Related: The Complete WordPress Malware Removal Guide
The Correct Way to Update
How to update the Ultimate Addons for Elementor?
To update the Ultimate Addons for Elementor (or UAE as they say it), follow these steps:
- Download the latest version from here.
- Delete the previously installed version. Don’t worry no data will be lost.
- Upload the zip file you downloaded from above as a new plugin in your WP-admin
- Install and activate.
And, you are all set.
How to update the Ultimate Addons for Beaver Builder?
To update the Ultimate Addons for Beaver Builder (or UABB as they say it), follow these steps:
- Download the latest version from here.
- Delete the previously installed version. Don’t worry no data will be lost.
- Upload the zip file you downloaded from above as a new plugin in your WP-admin
- Install and activate.
And, you are all set.
Secure your website with Astra
Phew! You are not hacked. But don’t leave your website security to luck. Not securing your website is only going to cost you in the long run. Don’t be at the mercy of the hackers, hold the reins to your website’s wellbeing.
Opt for a trusted security solution and leverage due security & protection on your website.
Have any questions? Comment below or get in touch with a security expert, we’ll be happy to help 🙂