Security researchers at MalCare have discovered a critical authentication bypass vulnerability in both of these populate premium WordPress plugins, and unfortunately they are quite trivial to exploit. The vulnerability could allow remote attackers to gain admin access to your site without having to log in.
There are reports that attackers have already started exploiting this vulnerability, in just 2 days of its discovery, and compromised vulnerable WordPress, installing a backdoor for later access.
The vulnerability’s advisory says that there’s a lack of checks in the authentication method when a user logs in via Facebook or Google. This means that the attacker can craft a response that fools the plugins into allowing malicious users to login as any other user, including an admin account, without requiring a password.
If you haven’t already, you need to update to the following versions…
- Ultimate Addons for Beaver Builder 1.24.1
- Ultimate Addons for Elementor 1.20.1
Stay safe out there!