top of page

Wordpress Doppelganger Plugin 'posts-layout' Unauthenticated Takeover

Application Details

This WordPress plugin enhances the Elementor page building experience with 90+ creative elements and extensions. This plugin adds powers to our page builder using the easy-to-use elements those were designed to make our next WordPress page and posts design easier and prettier than ever before.


This vulnerability allows for unauthenticated takeover of websites, where attackers are able to take full admin control, and install malicious plugins.


By sending a specially crafted request, an attacker could exploit this vulnerability to gain system control.

Sucuri observed a large spike in infections, associated with the Balada malware campaign. Many of which included a Doppelgänger post-layouts (Post Layouts for Gutenberg) plugin. The “s” in posts can clearly be identified in this example request:

POST /wp-admin/plugins.php?wc-ajax=1&action=activate&plugin=posts-layouts/posts-layouts.php&plugin_status=all&_wpnonce=810f12b23c


By turning this into a traffic file and matching rule, we are able to detect attempts of privilege escalation by unauthenticated attackers.


Idappcom have created signature 8023894 along with a traffic file for this vulnerability.


Traffic IQ

If you are concerned that your business may be at risk of this vulnerability or others why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here:


bottom of page