Recently, the Wordfence Threat Intelligence team observed that hackers are exploiting two vulnerabilities in two WordPress Plugins, Elementor Pro and Ultimate Addons for Elementor, that could easily compromise an unpatched WordPress installation. Moreover, the shocking thing is that the most severe vulnerability has not yet been patched.
Since it was an ongoing attack, so the Wordfence Threat Intelligence team has provided the necessary information to the users so that they can take necessary measures to protect their websites. Moreover, they also reviewed the log files of the compromised websites to check the attack activities.
The security experts at Wordfence have observed, these hacking campaigns are specifically targeting two issues since May 6, 2020, when the attack began.
At the same time, the Wordfence Threat Intelligence team has released a firewall rule which protects Wordfence Premium users from any exploitation of this vulnerability. If you are a free Wordfence user, then you have to wait till June 5, 2020, to receive protection against this vulnerability.
Plugins that are affected
We have told earlier that two plugins were affected by this attack campaign, ‘Elementor Pro and Ultimate Addons for Elementor.’ Among those plugins, Elementor Pro has a zero-day vulnerability, and Ultimate Addons for Elementor has a Registration Bypass vulnerability.
Elementor Pro
- Description: Authenticated Arbitrary File Upload
- Affected Plugin: Elementor Pro
- Plugin Slug: elementor-pro
- Affected Versions: <= 2.9.3
- CVE ID: Will be updated once identifier is supplied.
- CVSS Score: 9.9 (Critical)
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Fully Patched Version: 2.9.4
Ultimate Addons for Elementor
- Description: Registration Bypass
- Affected Plugin: Ultimate Addons for Elementor
- Plugin Slug: ultimate-elementor
- Affected Versions: <= 1.24.1
- CVE ID: Will be updated once identifier is supplied.
- CVSS Score: 7.2 (High)
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- Fully Patched Version: 1.24.2
Elementor Pro is a paid plugin, which is installed on more than 1 million websites, making it easy for users to create WordPress websites while the Ultimate Addons for Elementor plugin is installed on more than 110,000 sites.
The security experts Wordfence have clearly stated that even if “user registration” is disabled, the issue could be exploited on any site that runs the plugin. Thus, to defend against these ongoing attacks, WordPress site administrators should update Elementor Pro to version 2.9.4 and Ultimate Addons for Elementor to the version 1.24.2 or higher immediately.
Two vulnerabilities are being used
If your sites have ‘open user registration’ option, then the hacker could easily gain access to your sites using the zero-day vulnerability discovered in Elementor Pro.
Apart from this, if your sites don’t have user registration enabled, then hackers will take advantage of vulnerabilities detected in Ultimate Addons for Elementor Pro to register as a subscriber on any unpatched websites.
Moreover, hackers could also take advantage of Elementor Pro’s zero-day vulnerability by using the newly created accounts and execute arbitrary code remotely.
Security Measures to protect your sites
- Upgrade Ultimate Addons for Elementor immediately.
- Upgrade Elementor Pro immediately.
- Check for any unknown subscriber-level users on your site.
- Check for files named “wp-xmlrpc.php.”
- Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.
