As reported by the Threat Intelligence team at Wordfence, reports of threat actors attempting to exploit the two issues in ongoing attacks had appeared as of May 6.
Elementor Pro
Elementor Pro is a paid plugin with an estimated number of over 1 million active installs, enabling users to quickly and easily develop WordPress websites from scratch, with the aid of a built-in theme builder, a visual form widget designer, and custom CSS support.
The Elementor Pro vulnerability is an RCE (Remote Code Execution) bug rated as Critical. It enables attackers with registered user access to upload arbitrary files to the affected websites and remotely execute code.
In order to preserve access to the compromised sites, attackers who successfully exploit this security issue can either install backdoors or webshells, obtain full admin access to completely compromise the site, or even entirely eliminate the site.
In case they are unable to register as users, they can exploit the second vulnerability in the over 110,000-site-installed Ultimate Addons for Elementor WordPress plugin, which will let them sign up as subscriber-level users on any site using the plugin even if user registration is disabled.
"Then they proceed to use the newly registered accounts to exploit the Elementor Pro [..] vulnerability and achieve remote code execution," as Wordfence discovered.
Mitigation Measures
In order to protect oneself from the ongoing attacks, it is advised to update your Elementor Pro to version 2.9.4, that patches the remote code execution vulnerability.
Users of the Ultimate Addons for Elementor will have to upgrade to version 1.24.2 or later. To be sure that your website has not already been compromised, Wordfence advises taking the following actions:
- Check for any unknown subscriber-level users on your site.
- Check for files named “wp-xmlrpc.php.”
- Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.
