Wordfence researchers recently reported active exploitation of security flaws in two related WordPress plugins – Elementor Pro and Ultimate Addons for Elementor. Because of these vulnerabilities, more than 1 million sites are at risk. It is important to note that the free Elementor plugin, installed on more than 4 million websites, is not impacted by this flaw. The free plugin is available as a separate download from the WordPress plugin repository. The pro version can be downloaded from the Elementor.com website.
Elementor Pro Plugin Zero-Day Vulnerability
The Elementor Pro plugin, a page builder plugin, has a critical zero-day vulnerability which, according to Wordfence, is exploitable when users have open registration. The vulnerability has been described as an “Authenticated Arbitrary File Upload” issue.
The good news is that Elementor has already released a next version of the plugin where the vulnerability is addressed – Elementor Pro version 2.9.4. The Wordfence team has confirmed that the new version patches the issue, and users are recommended to update as soon as possible.
What are the exploit scenarios of this vulnerability? The issue enables registered (malicious) users to upload arbitrary files which can lead to remote code execution attacks. Once remote code execution is performed, the attacker can:
- Install a backdoor on the compromised website or webshell to maintain access;
- Gain full admin rights to WordPress;
- Delete the compromised site.
Ultimate Addons for Elementor Vulnerability
This plugin was developed by Brainstorm Force. There’s a registration bypass vulnerability in this plugin which allows the Elementor Pro issue to be exploited, even when the site doesn’t have user registration enabled.
The Elementor Pro plugin has been installed on more than 1 million websites, whereas Ultimate Addons has 110,000 installations. This makes the number of affected sites quite excessive. Users of the Ultimate Addons for Elementor plugin should be running version 1.24.2 or greater to avoid attacks.
The two vulnerabilities are being exploited together, Wordfence says:
In cases where a site does not have user registration enabled, attackers are using the Ultimate Addons for Elementor vulnerability on unpatched sites to register as a subscriber. Then they proceed to use the newly registered accounts to exploit the Elementor Pro zero day vulnerability and achieve remote code execution.
Impacted users should update to the latest versions of the plugins to avoid exploitation.
Also read Nearly 1M WordPress Sites Under Attack Due to Vulnerable Plugins