[German]Security researchers have found several critical vulnerabilities in the WordPress Plugin Responsive Ready Sites Importer. The vulnerabilities allow hijacking of a WordPress instance.
Advertising
Gutenberg & Elementor Templates Importer For Responsive
The WordPress Plugin Responsive Ready Sites Importer allows the import of Gutenberg & Elementor templates for Responsive Themes in WordPress. The import provides WordPress users with fully functional, ready-to-use website templates created for the Elementor Page Builder and the new WordPress Block Editor (Gutenberg).
All you need to do is import a website template, edit the content, and then launch the WordPress website. The plugin is active on more than 40,000 installations and requires WordPress 5.0 or higher. A description can be found here.
Vulnerabilities in the plugin
The WordFence Threat Intelligence team has already discovered several vulnerable endpoints in the WordPress plug-in Responsive Ready Sites Importer on March 2, 2020. These flaws allowed any authenticated user, regardless of permission level, to perform various AJAX actions. These actions included resetting website data, inserting malicious JavaScript into pages, modifying design customizer data, importing .xml and .json files, and enabling plug-ins.
The combination of these vulnerabilities results in a serious security issue that could allow attackers to take full control of WordPress sites. The developers were contacted on 3 March 2020. They responded quickly and released updates within hours, consisting of nonce and permission checks on almost all AJAX endpoints. After full disclosure, a final patch was released a few days later.
The WordFence security researchers strongly recommend that you immediately update the plugin to the latest available version 2.2.7. Details can be read in this blog post. Wordfence premium customers received a new firewall rule on March 2, 2020 to protect against exploits targeting this vulnerability. Free version users of Wordfence will receive the rule after thirty days, on April 1, 2020.
Advertising
