Critical Zero-Day in Elementor Pro Plugin Puts 1M WordPress Sites at Risk

Wordfence researchers recently reported active exploitation of security flaws in two related WordPress plugins – Elementor Pro and Ultimate Addons for Elementor. Because of these vulnerabilities, more than 1 million sites are at risk. It is important to note that the free Elementor plugin, installed on more than 4 million websites, is not impacted by this flaw. The free plugin is available as a separate download from the WordPress plugin repository. The pro version can be downloaded from the Elementor.com website.

Elementor Pro Plugin Zero-Day Vulnerability

The Elementor Pro plugin, a page builder plugin, has a critical zero-day vulnerability which, according to Wordfence, is exploitable when users have open registration. The vulnerability has been described as an “Authenticated Arbitrary File Upload” issue.

The good news is that Elementor has already released a next version of the plugin where the vulnerability is addressed – Elementor Pro version 2.9.4. The Wordfence team has confirmed that the new version patches the issue, and users are recommended to update as soon as possible.

What are the exploit scenarios of this vulnerability? The issue enables registered (malicious) users to upload arbitrary files which can lead to remote code execution attacks. Once remote code execution is performed, the attacker can:

  • Install a backdoor on the compromised website or webshell to maintain access;
  • Gain full admin rights to WordPress;
  • Delete the compromised site.

Ultimate Addons for Elementor Vulnerability

This plugin was developed by Brainstorm Force. There’s a registration bypass vulnerability in this plugin which allows the Elementor Pro issue to be exploited, even when the site doesn’t have user registration enabled.

The Elementor Pro plugin has been installed on more than 1 million websites, whereas Ultimate Addons has 110,000 installations. This makes the number of affected sites quite excessive. Users of the Ultimate Addons for Elementor plugin should be running version 1.24.2 or greater to avoid attacks.

The two vulnerabilities are being exploited together, Wordfence says:

In cases where a site does not have user registration enabled, attackers are using the Ultimate Addons for Elementor vulnerability on unpatched sites to register as a subscriber. Then they proceed to use the newly registered accounts to exploit the Elementor Pro zero day vulnerability and achieve remote code execution.

Impacted users should update to the latest versions of the plugins to avoid exploitation.

Also read Nearly 1M WordPress Sites Under Attack Due to Vulnerable Plugins

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.