In March 2023, a critical security flaw (CVE-2023-32243) was discovered in Elementor Pro, allowing hackers to control WordPress sites with WooCommerce enabled.
The vulnerability allowed malicious users to turn on the registration page, set the default user role to administrator according to Patchstack, and potentially redirect the site to another malicious domain or install plugins or backdoors.
While this flaw only impacted versions 3.11.6 and earlier, it was addressed by Elementor in version 3.11.7, released on March 22. Despite the fix, active exploitation attempts were detected by Patchstack, and any WordPress sites that were not promptly updated remained vulnerable.
The State of WordPress Security
With over 5 million WordPress sites using Elementor Pro, even a small fraction of users unaware of this vulnerability or failing to update to the latest version could risk hundreds or even thousands of sites. This incident stands as a stark reminder of the importance of keeping up to date on vulnerabilities & updates for those of us in the WordPress community.
Now, some of you might be thinking, such vulnerabilities can’t be commonplace, can they?
The truth is far from that.
In the larger context, the number of new vulnerabilities in WordPress tripled in 2022, reaching over 4,500, as reported by Patchstack’s 2022 WordPress security report. With the vast majority of them being in plugins (93%), followed by themes (6.7%).
Many popular plugins used by millions – like Elementor, UpdraftPlus, WooCommerce, Yoast SEO, and Contact Form by WPForms – were identified with flaws that could be exploited by hackers & other malicious actors.
Thus driving home the increasing importance of not only having robust security systems in place but also keeping up to date on all the latest security bugs detected.
Introducing the Cloudways Vulnerability Scanner – Powered by Patchstack
At Cloudways, we understand the importance of proactively addressing vulnerabilities for our customers. That’s why we’re thrilled to announce the Cloudways Vulnerability Scanner to enhance your Cloudways experience.
How It Works
Powered by Patchstack, the Vulnerability Scanner identifies the core, plugin & theme versions installed on your WordPress websites. It then periodically taps into Patchstack’s vulnerability database to check for security issues within your WordPress Core, theme, and plugins.
If a vulnerability is detected, you can find details in the Vulnerability Scanner option for your app, listing the specific WordPress core, theme, & plugin versions. Vulnerable versions are marked with “Issue detected,” along with the recommended actions under the recommendations section.
If the vulnerability has been patched in a newer version, the scanner will recommend updating the plugin. However, if no patch is available, removal of the plugin is recommended as the best course of action. Our partnership with Patchstack ensures that you receive early notifications about each security bug 48 hours before it is released to the public domain, allowing you to act promptly.
You will also receive notification emails via Cloudways Bot in case any vulnerabilities are detected for any of your WordPress apps. You can even set up Slack channel notifications through the Cloudways Bot.
In case of a new theme or plugin addition to your WordPress, you can check for reported security bugs on-demand by using the “Refresh” button at the top right of the Vulnerability Scanner menu.
With Cloudways taking daily backups, you can easily restore previous versions of your websites in case any vulnerability gets exploited.
Note: The Vulnerability Scanner checks WordPress for security bugs and vulnerabilities. It cannot scan for malware already on your site. Any core, plugin, or theme versions marked secure have no known vulnerabilities & hence are secure from new external threats wanting to exploit potential bugs.
Behind the Scenes at Patchstack
At this point, you might be wondering: What is Patchstack? And how does it manage to track thousands of WordPress plugin & theme versions so effectively?
What is Patchstack?
Well, here’s a short version.
Patchstack provides vulnerability scanning and security for WordPress sites. Founded by Oliver Sild, a former digital agency owner, Patchstack was born out of the need to monitor plugins and themes across different CMS websites.
What began as an internal tool to monitor client sites and flag vulnerable plugin versions evolved into Patchstack (formerly WebArx), now used by thousands of developers to lock down WordPress security.
As of 2023, Patchstack has become the #1 source of WordPress vulnerability data per volume, with popular plugins such as Elementor and WProcket designating Patchstack as their official security point of contact. They also offer a suite of WordPress security services, including vulnerability management, detection, and vulnerability mitigation through precise virtual patching rules.
How Does Patchstack Stay On Top of Vulnerabilities
Patchstack takes a leaf out of WordPress’s success. The power of the community!
Patchstack created the Patchstack Alliance, which is now a community of ethical hackers, security researchers, plugin vendors, theme developers, and hosting companies who collaborate to enhance the safety of the WordPress and open-source ecosystem.
Whenever Alliance members discover a vulnerability, they report it to Patchstack, receiving a bug bounty (sponsored by Patchstack) and public recognition. Patchstack then manually verifies each reported vulnerability. Once verified, they share all important details with the plugin or theme developer, enabling them to create a patch. Thanks to this effort, Patchstack remains continuously updated with the latest WordPress vulnerabilities, ensuring your website’s safety.
Up next, we’ll soon be releasing another exciting upgrade that’s set to further bolster WordPress site security here at Cloudways. So stay tuned, and do let us know of any feedback & requests at feedback.cloudways.com
I'm a Product Marketer with a strong passion for discovering cutting-edge tech solutions that address our everyday challenges. Delving into the world of innovative technology never ceases to amaze me. When I'm not immersed in the realm of tech, you can catch me scrolling through Instagram, admiring the vibrant beauty of various bird species, or escaping into the captivating world of fiction.