A flaw in The Plus Addons for Elementor WordPress plugin allows sites takeover

Researchers from the Wordfence team found a critical vulnerability in The Plus Addons for Elementor WordPress plugin that could be exploited to take over a website.

Researchers at the Wordfence team of the security firm Defiant have spotted a critical flaw in The Plus Addons for Elementor WordPress plugin that could be exploited by attackers to gain administrative privileges to a website and take over it. The researchers also warn that the zero-day vulnerability has been exploited in the wild.

The Plus Addons for Elementor allows to add several widgets to the popular WordPress website builder Elementor, it has more than 30,000 installations to date.

Wordfence researchers discovered the vulnerability in one of the widgets that the plugin allows to add, it allows designers and developers to insert user login and registration forms to Elementor pages.

The flaw allows attackers to create new administrative user accounts on vulnerable sites when the user registration is enabled, and log in as other administrative users. The vulnerability was reported to WPScan by the Seravo hosting company.

“The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.” reads the post published by WordFence.

The vulnerability doesn’t affect the free version of the plugin, The Plus Addons for Elementor Lite.

The development team behind the plugin has fully patched the flaw on March 9th with the release of version 4.1.7. Users are highly recommended to update to this version immediately to prevent attacks.

At the time of this writing, experts have very limited indicators of compromise. Attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, in some cases the experts observed attackers installing a malicious plugin labeled wpstaff.

“We strongly recommend checking your site for any unexpected administrative users or plugins you did not install.” continues the post.

The researchers pointed out that threat actors in the wild are actively exploiting the vulnerability.

The researchers also created a proof-of-concept exploit code for this vulnerability.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]