TL;DR: If you’re using the plugin, Starter Templates on your WordPress site, make sure you’re using version 2.7.5 or higher.
Vulnerability in the Starter Templates Plugin
Last month, Wordfence disclosed a vulnerability in the plugin, Starter Templates allowing contributor-level WordPress users the capability of overwriting any page on the website. This vulnerability has been given a score of 7.6 out of 10 for severity and is considered High.
Who is vulnerable?
To be exploited by this vulnerability, all three of the following criteria must be true for your WordPress site:
1. The Starter Templates plugin version 2.7.0 or lower is installed on your site.
2. The Elementor plugin is installed and was used to create pages on your website.
3. You have partially-trusted users on your WordPress site in “Author” and “Contributor” roles.
How does this vulnerability work?
Typically, both “Author” and “Contributor” roles within WordPress need fewer capabilities and are the most restricted. These roles allow access to the content created by that user and nothing else on the website, making them suited for guest writers or others requiring a sign-off before publishing. With this vulnerability, these restricted users can import new blocks overwriting content on any post or page, including already published pages.
Worst case scenario
How to protect your website
To patch for this specific vulnerability, verify that your site uses Starter Templates version 2.7.5 or higher. In most cases, it’s best to run the most recent plugin version available so that all known bug fixes and security patches are applied.
If you have any questions, don’t hesitate to reach out to our support team!