Tag Archives: Royal Elementor Addons and Templates

When it comes to protecting WordPress websites from being hacked through vulnerabilities in plugins, the solution is often simply keeping plugins up to date. But that doesn't work when a hacker finds a vulnerability and starts exploiting it, otherwise known as a zero-day, as there is no update available. That is where an additional security plugin or service can possibly provide protection. But do they? The answer is often that they won't. Making that more problematic is that often the marketing of the solutions would tell you otherwise. Recently, we looked at one example of how firewall plugins could easily detect and stop exploit attempts for a widely exploited vulnerability, but most didn't. Let's look at another example of how a firewall plugin can provide protection. This time with a zero-day. We will touch on a couple of examples of why web application firewalls (WAFs) such as a cloud based security service are unable to handle things as well. What makes this zero-day stand out more is the curious promotion from Automattic, the company run by the head of WordPress, for one of its security solutions, Jetpack. They wrote this at the end of a post: At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe. But earlier in the same post, they were admitting that they knew about it because they hadn't provided protection. They wrote this: During an investigation of a series of website being actively compromised we noticed the constant presence of the Royal Elementor Addons and Templates plugin installed. And all sites had at least one malicious file dropped into the /wpr‑addons/forms/ directory. That doesn't make sense, but that is a pretty common situation. Wordfence recently were promoting themselves while admitting that websites had been hacked and they didn't know how they were hacked. Instead Wordfence were trying to detect the aftereffects of the hack, despite promoting their Wordfence Security plugin with an unqualified claim that it "stops you from getting hacked". The Vulnerability The zero-day existed in the Royal Elementor Addons and Templates plugin resulted from a poorly implemented approach to limiting what file extensions are allowed for files being uploaded to the website through the plugin. The developer didn't rely on WordPress' built-in functionality to handle things, which could have avoided the problem. That approach allowed uploading files with the .php extension that contained malicious code, which the hacker could then cause to run. The developer restricted uploading files with certain file extensions, but also allowed the uploader to specify what other file extensions are permitted. That alone didn't cause a problem. The problem was caused by combining that with changing the filename after the file extension had been checked. That was done using the WordPress function wp_unique_filename(), which in turn calls the function sanitize_file_name(). A hacker could, for example, upload a file named malicious.php$ with malicious code in it. That would get past the file extension restriction, which would apply if the extension was php instead of php$. The sanitize_file_name() would strip off the $ from the extension, allowing the file's PHP code to be able to run. Jetpack didn't stop this, but a firewall plugin can take several approaches to stop this. Let's look at the approaches we have implemented in our own Plugin Vulnerabilities Firewall that each can stop this. Restrict File Extensions Information about files being sent with a request are included in PHP's $_FILE superglobal. One approach to stop a file upload vulnerability like this is to block a request if a file has an extension other than one permitted. With our own plugin, by default, we only allow extensions that WordPress' own upload capability permits to be uploaded by default. That can be customized if other file extensions are needed or if a website doesn't need to allow all of those to be uploaded. The plugin also allows users with the Administrator role to upload other types of files. That is something that a web application firewall (WAF) or other firewall not tied in to WordPress is unable to handle as they don't know if a requestor has that role. Unlike the code in the plugin, a file with an extension like php$ would be stopped as it isn't one of the permitted extensions. The NinjaFirewall plugin also is able to block the attack this way. Detecting PHP Code While that approach stops this particular vulnerability. It does have limitations. Other vulnerabilities have allowed an attacker to specify a new name for the file. So an attacker could upload the file with an extension permitted and then have it renamed to php. Another approach that isn't impacted by that issue is to check the contents of files being sent with a request for PHP code in them. The approach taken by our plugin is to check the files for several PHP opening tags (<?php, <?, and <?). That would also stop this attack. The Wordfence Security plugin also is able to block the attack this way. Limiting File Uploads Many WordPress websites don't need those without access to WordPress' media uploader to be able to upload files to the website. A firewall plugin can determine if a request with a file is coming from someone without that access and block the request. Again, a WAF that isn't tied in to WordPress can't do that. With our own firewall plugin we don't enable that by default, as to not cause problems for website that need to allow others to upload files. We instead provide a several question questionnaire to help implement protection like that for websites that can benefit from the additional protection. NinjaFirewall does offer an option to block file uploads, but it blocks users who are allowed to upload file as well as those without that permission.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Royal Elementor Addons and Templates

How a WordPress Firewall Plugin Stops Exploitation of Zero-Day That Automattic’s Jetpack Didn’t