Issues in Elementor Pro and Ultimate Addons for Elementor exposed 1 Million WordPress sites at risk

Attackers exploited two security issues in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins to fully compromise over 1M sites.

Hackers are actively exploiting two security flaws in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins to fully compromise unpatched WordPress installs.

Security experts from Wordfence have observed a hacking campaign targeting the two issues since May 6, 2020, when the attacks began the flaw was a zero-day.

“On May 6, 2020, our Threat Intelligence team received reports of active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of compromised sites to confirm this activity.” reads the analysis published by WordFence.

“There are two plugins affected by this attack campaign. The first is Elementor Pro which is made by Elementor. This plugin has a zero day vulnerability which is exploitable if users have open registration.” “The second affected plugin is Ultimate Addons for Elementor, which is made by Brainstorm Force.”

Elementor Pro is a paid plugin that is actually installed on over 1 million websites, it allows users to easily create WordPress websites.

The Elementor Pro is affected by a remote code execution vulnerability that could be exploited by attackers with registered user access to upload arbitrary files on the targeted websites and execute code remotely.

The attackers exploited the vulnerability to install backdoors or webshells to maintain access to the compromised sites, gain full admin access to fully compromise it, or even to delete the entire site.

If the attackers haven’t registered as users, they can exploit another vulnerability affecting the Ultimate Addons for Elementor WordPress plugin that allow them to register as subscriber-level users.

The Ultimate Addons for Elementor WordPress plugin is installed on over 110,000 sites, WordFence experts pointed out that the issue could be exploited on any site running the plugin even if user registration is disabled.

“Attackers are able to directly target the zero day vulnerability in Elementor Pro on sites with open user registration.” continues Wordfence.

“In cases where a site does not have user registration enabled, attackers are using the Ultimate Addons for Elementor vulnerability on unpatched sites to register as a subscriber. Then they proceed to use the newly registered accounts to exploit the Elementor Pro zero day vulnerability and achieve remote code execution.”

Administrators of WordPress sites could secure their installs by updating to Elementor Pro to version 2.9.4 and the Ultimate Addons for Elementor to version 1.24.2 or later.

Wordfence provided the following recommendations to protect WordPress sites:

• Check for any unknown subscriber-level users on your site. This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts.
• Check for files named “wp-xmlrpc.php.” These can be considered an indication of compromise, so check your site for evidence of this file.
• Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory. Files located here after a rogue subscriber-level account has been created are a clear indication of compromise.

Please vote Security Affairs for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Elementor Pro, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]