Incident Postmortem - March 10th, 2021

Follow

Overview

On Tuesday, March 9th, at 11:29am Eastern Time, we received a notification from the host for some of our websites, Kinsta, about a zero-day security vulnerability in the Plus Addons for Elementor Page Builder plug-in, affecting versions prior to 4.1.7. The vast majority of our websites do not use this plug-in, however, vulnerable versions of the plug-in were installed on 52 sites which were created for our clients, some of which were not live and were still in the website development process.

At approximately 10pm on March 9th, our developers began work to identify which sites had the plug-in installed and to test the updated, non-vulnerable version of the plug-in for conflicts on some of our existing sites. Unfortunately, the vulnerability began being exploited before we could get all of our sites updated.

Due to this vulnerability, a total of 20 sites were affected by authentication bypass exploits, which led to the sites redirecting to third-party websites shortly after being loaded. Once we became aware of this, our Support team alerted our Platform team, who began working with Kinsta to remove the exploits, update the affected plug-in, and to secure the affected sites by removing unauthenticated users and reviewing recent site activity.

The issue was resolved after the plug-in had been updated on each site and the unauthenticated user accounts which had been created were removed.

Follow Up

In response to this, we have forced password resets for all users on the affected sites, ensured that all sites we host which have the plug-in installed are using the latest version, version 4.1.7, which is not vulnerable to the exploit, and contacted the clients affected by this exploit.

We have also reviewed our policy regarding these notifications, and taken steps to ensure we can react to them more quickly in the future, allowing us to update any affected sites to non-vulnerable versions of the plug-in within 24 hours after being notified of the vulnerability.

For more information on the vulnerability with the plug-in, please see the vulnerability details at WPScan.

We sincerely apologise for the inconvenience and confusion caused by this - we understand how important it is that your website is available and performs as expected 100% of the time, and we will continue to aim for this. You can always monitor our platform status by visiting our Status page, and if you do notice any problems with your website, you can use our live chat service ("Chat with us!" at the bottom right of this page) to alert our Support team immediately and we will investigate the problem.

Have more questions? Submit a request

Comments