Elementor is one of the most popular WordPress plugin which is used to create attractive websites faster by instantly importing the layouts, templates and blocks.
A Zero Day Vulnerability has been discovered in popular WordPress Plugin for Elementor Page Builder (The Plus Addons for Elementor) that has over 30,000 installations.
The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin/administrator) by just providing the related username, as well as create accounts with arbitrary roles, such as admin, subscriber, author etc. These issues can be exploited even if registration is disabled, and the Login widget is not active.
Also Read: Most Useful WordPress Plugins for your Websites
This vulnerability was reported on March 8, 2021 to WPScan by Seravo, a hosting company.
The same plugin is also available in Lite mode which is free and doesn’t appear to be vulnerable to this zero day vulnerability. The exploit is not present in Main Elementor plugin itself, it’s in a popular plugin that extends Elementor.
Security researcher Ville Korhonen from Seravo and Antony Booker from WP Charged recommend immediately disabling the plugin to avoid being hacked.
According to Wordfence security researchers, the registration and login widget modules of the plugin are the attack vector.
Update:
As of March 9th, 2021, the vulnerability is still not fully patched. The plugin developer released a partially patched version of the plugin (4.1.6) shortly after our disclosure, however, the update does not fully address the vulnerability.
As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure.
If you are using The Plus Addons for Elementor plugin, we strongly recommend that you should update the plugin as early as possible.
If your site’s functionality is dependent on old version of this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site.
About the Vulnerability:
- Description: Privilege Escalation
- Affected Plugin: The Plus Addons for Elementor
- Plugin Slug: theplus_elementor_addon
- Affected Versions: <= 4.1.6
- CVE ID: 2021-24175
- CVSS Score: 9.8 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Fully Patched Version: 4.1.7
References: https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89
You may also like:
- Facebook Pay is rolling out in US – 2019 Update
- Top 25 Reddits – SubReddits Communities [Information Security]
- List of 100+ Cyber Security RSS Feeds
- Target’s Twitter Account Compromised – Posted Fake Promoted Ad [Bitcoin Scam]
- Familiar With SQL Injection Vulnerability – Meet Ihsan Sencan
- Microsoft + 33 Other Companies Join hands to fight Cyber Attacks – Cyber Security Tech Accord
- Twitter Compromised ! Change Your Password Right Now – May 2018
- Update your Mozilla Firefox Now – 31st January 2018 Update
- Dangerous Keylogger Found – Infecting over 2000 WordPress sites
- $1.2 Billion Worth of Cryptocurrencies Stolen – 2018 Update
