PSA: Critical Unauthenticated Arbitrary File Upload Vulnerability in Royal Elementor Addons and Templates Being Actively Exploited

Keypoints

• A vulnerability exists in Royal Elementor Addons and Templates (versions up to 1.3.78) due to insufficient file type validation in handle_file_upload, allowing unauthenticated file uploads via AJAX.
• Unauthenticated attackers can upload PHP files containing malicious content, such as a backdoor, enabling remote code execution on vulnerable sites.
• The issue was discovered by Fioravante Souza (WPScan) and publicized by Wordfence on Oct 13, 2023, with a detection signature for wp.ph$p released later.
• Attacks began around July 27, 2023, increased around Aug 30, 2023, and Wordfence blocked over 46,169 attempts in the past 30 days.
• Three IP addresses accounted for the majority of attacks (65.21.22.78; 2a01:4f9:3080:4eea::2; 135.181.181.50) with hundreds to thousands of attempts each.
• Indicators of compromise include file names like b1ack.p$hp (MD5 1635f34d9c1da30ff5438e06d3ea6590) and wp.ph$p (MD5 bac83f216eba23a865c591dbea427f22).
• Mitigation emphasizes updating to plugin version 1.3.79, leveraging Wordfence firewall protections, and running malware scans via Wordfence tools or Incident Response services if compromised.