A flaw in The Plus Addons for Elementor WordPress plugin allows sites takeover

Researchers from the Wordfence team found a critical vulnerability in The Plus Addons for Elementor WordPress plugin that could be exploited to take over a website.

Researchers at the Wordfence team of the security firm Defiant have spotted a critical flaw in The Plus Addons for Elementor WordPress plugin that could be exploited by attackers to gain administrative privileges to a website and take over it. The researchers also warn that the zero-day vulnerability has been exploited in the wild.

The Plus Addons for Elementor allows to add several widgets to the popular WordPress website builder Elementor, it has more than 30,000 installations to date.

Wordfence researchers discovered the vulnerability in one of the widgets that the plugin allows to add, it allows designers and developers to insert user login and registration forms to Elementor pages.

The flaw allows attackers to create new administrative user accounts on vulnerable sites when the user registration is enabled, and log in as other administrative users. The vulnerability was reported to WPScan by the Seravo hosting company.

“The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.” reads the post published by WordFence.

The vulnerability doesn’t affect the free version of the plugin, The Plus Addons for Elementor Lite.

The development team behind the plugin has fully patched the flaw on March 9th with the release of version 4.1.7. Users are highly recommended to update to this version immediately to prevent attacks.

At the time of this writing, experts have very limited indicators of compromise. Attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, in some cases the experts observed attackers installing a malicious plugin labeled wpstaff.

“We strongly recommend checking your site for any unexpected administrative users or plugins you did not install.” continues the post.

The researchers pointed out that threat actors in the wild are actively exploiting the vulnerability.

The researchers also created a proof-of-concept exploit code for this vulnerability.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.