Hackers are actively exploiting two security vulnerabilities in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins with the end goal of remotely executing arbitrary code and fully compromising unpatched targets.
Reports of threat actors attempting to abuse the two bugs in ongoing attacks have surfaced on May 6th as reported by Wordfence’s Threat Intelligence team today.
Attackers can wipe sites after successful exploitation
Elementor Pro is a paid plugin with an estimated number of over 1 million active installations that helps users to easily create WordPress websites from scratch with the help of a built-in theme builder, visual form widget designer, and custom CSS support.
The Elementor Pro vulnerability is a remote code execution bug rated as Critical that allows attackers with registered user access to upload arbitrary files on the targeted websites and execute code remotely — when the attacks started this was a zero-day.
The attackers who successfully exploit this security flaw can then install backdoors or webshells to maintain access to the compromised sites, gain full admin access to fully compromise it, or even wipe the entire site.
If they can’t register as users, they can exploit the second vulnerability affecting the Ultimate Addons for Elementor WordPress plugin (installed on over 110,000 sites) which will allow them to register as subscriber-level users on any site running the plugin even if user registration is disabled.
“Then they proceed to use the newly registered accounts to exploit the Elementor Pro [..] vulnerability and achieve remote code execution,” as Wordfence discovered.
Mitigation measures
To defend against these ongoing attacks you need to update Elementor Pro to version 2.9.4 which fixes the remote code execution vulnerability.
Users of the Ultimate Addons for Elementor will have to upgrade it to version 1.24.2 or later.
Wordfence recommends taking the following measures to make sure that your site hasn’t already been compromised:
• Check for any unknown subscriber-level users on your site. This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts.
• Check for files named “wp-xmlrpc.php.” These can be considered an indication of compromise, so check your site for evidence of this file.
• Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory. Files located here after a rogue subscriber-level account has been created are a clear indication of compromise.
Another massive series of attacks targeting more than 900,000 WordPress sites has started on April 28, attempting to redirect visitors to malvertising sites or to plant backdoors if their administrators are logged in.
The threat actor behind them used at least 24,000 IP addresses to send malicious requests to over 900,000 sites, with more than 20 million attacks having been launched against over half a million sites on May 3rd alone.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.