Last month, a severe vulnerability that could lead to a site takeover was found in Elementor Pro, a renowned WordPress page builder. You're safe if you updated it, but this highlights a common issue with content management systems that rely on plugins.
Elementor Pro is an immensely popular extension for WordPress that empowers users to create professional-grade websites without the need for coding skills. It comes with a drag-and-drop interface, theme-building capabilities, access to a collection of templates, support for custom widgets, and a builder for WooCommerce online shops. No wonder it is used by over 13 million websites worldwide.
Based on the information from "The Hacker News" and some other news sources concerned with cybersecurity, a high-severity vulnerability in the plugin was found by a NinTechNet security researcher in late March. Specifically, version 3.11.6 and all its previous versions have a security weakness that allows authorized individuals, such as site members or registered shop customers, to alter site configurations and gain complete control over the website.
If exploited, the vulnerability can allow an authenticated attacker to execute various actions, including but not limited to, creating an administrator account by enabling registration and assigning the default role as "administrator," modifying the administrator's email address, or redirecting website traffic to a malicious external site by altering the site URL.
PatchStack, a WordPress security company, reports that hackers are taking advantage of the bug to either redirect website visitors to malicious domains or install backdoors on the compromised site. Therefore, it is crucial to promptly update your WordPress website to version 3.11.7 or later if you are using Elementor Pro.
However, all of this highlights a common issue with content management systems that rely on plugins, like WordPress. Not only do you have to stay vigilant and keep up with all the updates, but you need to rely on third-party plugin developers to provide these updates and patches in the first place. If the developer discontinues support for the plugin or goes out of business, the website may suffer from a lack of updates and support. What could this mean for your users and your business? Possible data breaches, malicious redirects, malware, slow loading time, and decreased credibility overall.
Suppose your company operates in the healthcare, finance and banking, legal, e-commerce, or logistics sectors. In that case, you are undoubtedly aware that these industries are at a higher risk of cyber threats. This means you might want to reconsider using basic and dependent third-party plugin content management systems for your website. On the other hand, fully-fledged digital experience platforms like Umbraco offer you:
- A built-in and user-friendly page builder that enables users to create and edit page layouts as quickly as many popular WP extensions.
- Automated security updates.
- Independence from third-party plugins.
- Regular penetration testing.
- Security health-check out-of-the-box features.
Don't get us wrong; WordPress is a reliable vessel that can help your business sail the digital sea. However, if you aim to venture far beyond the shore, you'll need a sturdy ship that can withstand unpredictable waters and keep you afloat.
Ask us what rebuilding your website in Umbraco can look like and what you can gain.