The Core
Why We Are Here => Web Development => Topic started by: ergophobe on May 28, 2020, 07:03:48 PM
-
Lots of detail and a video showing how to take over a site
https://www.wordfence.com/blog/2020/05/the-elementor-attacks-how-creative-hackers-combined-vulnerabilities-to-take-over-wordpress-sites/
Short version
- use plugin A registration vulnerability to create a user on a site that normally does not allow registration
- use plugin B to upload a custom icon zip file with a backdoor in it
- use backdoor to access site, clean up tracks, create a new backdoor by replacing the xmlrpc.php file.
This would be super easy to achieve right now on a site that had not been patched