WordFence has posted a blog about receiving reports of active exploitation of Elementor Pro Vulnerability and issues with the related plugins, Ultimate Addons for Elementor.
The Elementor has released the patched version today, May 7, 2020. However, the unpatched versions are still being exploited.
The latest released Elementor Pro version 2.9.4 contains the fix for the critical file upload vulnerability.
According to WordFence, Elemntor Pro and Ultimate Addons for Elementor are the plugins with the Vulnerability issues.
Elementor Pro Plugin has nearly 1 Million active users, and the vulnerability has made all of them prone to hacking.
According to WordFence:
This is a zero day vulnerability. An attacker able to remotely execute code on your site can install a backdoor or webshell to maintain access, gain full administrative access to WordPress, or even delete your site entirely.
Elementor Pro Vulnerability
There are two versions of Elementor. Free and Paid.
Elementor Pro is the paid version. It is one of the widely used WordPress page builder plugins. The vulnerability issues arise in only the paid version; there are no reports of exploitation of the sites working on the free Elementor plugin.
WordFence has rated the vulnerability as “critical”.
The hacker uses the open WordPress registration to exploit the vulnerability.
If your site running on WordPress and the Elementor Plugin is installed on the site, then the hacker can use the Elementor vulnerability to upload executable files to your website.
This allows the attacker to perform various tasks such as enabling PHP Web Shells or even removing the website content.
The majority of the website keeps the registration open for the users. The function allows users to register with the site and contribute to the content by commenting or liking the posts. These registered users do have limited access to the site.
Due to Elementor, hackers bypass the limited access and achieve remote code execution.
However, the risk is not over even if you disable the user registration because the hackers are using another plugin Ultimate Addons for Elementor to register as a subscriber if user registration is disabled.
Ultimate Addons for Elementor
This is the plugin that works with the Elementor page builder plugin and adds more functions to the builder.
The vulnerability in the Ultimate Addons for Elementor plugin allows a hacker to exploit the Elementor pro vulnerability if the site has turned off the user registration.
Ultimate Addons works as an addon of Elementor, so hackers were able to use one to exploit the other.
How to protect your site
Elementor has released the patch that fixes issues.
Update Elementor Pro to version 2.9.4 to be protected.
After upgrading the Elemtor Pro plugin, you can block hackers from taking advantage of the vulnerability. But you should turn off the user registration, at least for now, when the attacks are reportedly active.
Check your WordPress Site
It is best to do a quick audit of your site.
Unknown subscriber-level users on your site
Look for if any unknown subscribers are there, or if the number of subscribers has increased.
Check for files named “wp-xmlrpc.php.”
Run your site through a security scanner and check your site for this file. This can be an indication of a compromised website.
Unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory
Delete the unknowns file from the Elementor directory