Elementor Pro and Ultimate Addons for Elementor Puts One Million Sites at Risk

Threat Alerts / May 10, 2020
Wordfence team reported active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. They are alerting everyone so that the required steps to protect your sites would be taken, as this is an actively exploited attack.

Threat Alert For Two Plugins

The first is Elementor Pro which is made by Elementor. This plugin has a zero day vulnerability which is exploitable if users have open registration.

The second affected plugin is Ultimate Addons for Elementor, which is made by Brainstorm Force. A vulnerability in this plugin allows the Elementor Pro vulnerability to be exploited, even if the site does not have user registration enabled.

Wordfence team estimates that Elementor Pro is installed on over 1 million sites and that Ultimate Addons has an install base of roughly 110,000.

1. Elementor Pro

The vulnerability in Elementor Pro, which is rated Critical in severity, allows registered users to upload arbitrary files leading to Remote Code Execution. This is a zero day vulnerability and affects ONLY Elementor PRO (not the free version)

An attacker able to remotely execute code on your site can install a backdoor or webshell to maintain access, gain full administrative access to WordPress, or even delete your site entirely. Elementor team is working on the patch for this.

2. Ultimate Addons for Elementor

The Ultimate Addons for Elementor plugin recently patched a vulnerability in version 1.24.2 that allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site.

Two vulnerabilities being used in concert to attack sites

Attackers are able to directly target the zero day vulnerability in Elementor Pro on sites with open user registration.

In cases where a site does not have user registration enabled, attackers are using the Ultimate Addons for Elementor vulnerability on unpatched sites to register as a subscriber. Then they proceed to use the newly registered accounts to exploit the Elementor Pro zero day vulnerability and achieve remote code execution.

What you should do

If you are under WordPress Managed Maintenance plan - there is nothing to worry about as we've taken the necessary steps to protect your sites. Yay!

If you're not under our maintenance plan... well, what are you waiting for? Sign-up today!