Elementor is one of the most popular WordPress plugin which is used to create attractive websites faster by instantly importing the layouts, templates and blocks.
A Zero Day Vulnerability has been discovered in popular WordPress Plugin for Elementor Page Builder (The Plus Addons for Elementor) that has over 30,000 installations.
The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin/administrator) by just providing the related username, as well as create accounts with arbitrary roles, such as admin, subscriber, author etc. These issues can be exploited even if registration is disabled, and the Login widget is not active.
This vulnerability was reported on March 8, 2021 to WPScan by Seravo, a hosting company.
The same plugin is also available in Lite mode which is free and doesn’t appear to be vulnerable to this zero day vulnerability. The exploit is not present in Main Elementor plugin itself, it’s in a popular plugin that extends Elementor.
Security researcher Ville Korhonen from Seravo and Antony Booker from WP Charged recommend immediately disabling the plugin to avoid being hacked.
According to Wordfence security researchers, the registration and login widget modules of the plugin are the attack vector.
As of March 9th, 2021, the vulnerability is still not fully patched. The plugin developer released a partially patched version of the plugin (4.1.6) shortly after our disclosure, however, the update does not fully address the vulnerability.
As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure.
If you are using The Plus Addons for Elementor plugin, we strongly recommend that you should update the plugin as early as possible.
If your site’s functionality is dependent on old version of this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site.
About the Vulnerability:
- Description: Privilege Escalation
- Affected Plugin: The Plus Addons for Elementor
- Plugin Slug: theplus_elementor_addon
- Affected Versions: <= 4.1.6
- CVE ID: 2021-24175
- CVSS Score: 9.8 (Critical)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Fully Patched Version: 4.1.7