Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Elementor Pro. Show all posts

Critical WordPress Plugin Vulnerability Enables Hackers To Exploit Over 1M Sites


Threat actors are apparently exploiting two security flaws in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins, in an effort to remotely execute arbitrary code and completely compromise unpatched targets.

As reported by the Threat Intelligence team at Wordfence, reports of threat actors attempting to exploit the two issues in ongoing attacks had appeared as of May 6.

Elementor Pro 

Elementor Pro is a paid plugin with an estimated number of over 1 million active installs, enabling users to quickly and easily develop WordPress websites from scratch, with the aid of a built-in theme builder, a visual form widget designer, and custom CSS support.

The Elementor Pro vulnerability is an RCE (Remote Code Execution) bug rated as Critical. It enables attackers with registered user access to upload arbitrary files to the affected websites and remotely execute code.

In order to preserve access to the compromised sites, attackers who successfully exploit this security issue can either install backdoors or webshells, obtain full admin access to completely compromise the site, or even entirely eliminate the site.

In case they are unable to register as users, they can exploit the second vulnerability in the over 110,000-site-installed Ultimate Addons for Elementor WordPress plugin, which will let them sign up as subscriber-level users on any site using the plugin even if user registration is disabled.

"Then they proceed to use the newly registered accounts to exploit the Elementor Pro [..] vulnerability and achieve remote code execution," as Wordfence discovered.

Mitigation Measures 

In order to protect oneself from the ongoing attacks, it is advised to update your Elementor Pro to version 2.9.4, that patches the remote code execution vulnerability.

Users of the Ultimate Addons for Elementor will have to upgrade to version 1.24.2 or later. To be sure that your website has not already been compromised, Wordfence advises taking the following actions:

  • Check for any unknown subscriber-level users on your site. 
This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts. 
  • Check for files named “wp-xmlrpc.php.” 
These may indicate any compromise. So, it is advised to check your site for evidence of this file. 
  • Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.
The presence of files here following the creation of a rogue subscriber-level account is an obvious indication of compromise.