Theattackers used two security holes in the Elementor Pro and Ultimate Addons for Elementor WordPress plug-ins to make complete compromises over 1M websites.
Hackers actively exploit two vulnerabilities in the Elementor Pro and Ultimate Addons for Elementor WordPress plug-ins to fully compromise unmatched WordPress installations.
Wordfence security experts have observed a hacking campaign to solve two problems since the 6th anniversary of the attack. In May 2020, when the attacks began, the vulnerability was at day zero.
The sixth. In May 2020, our Threat Intelligence team received reports of active vulnerability exploitation in two interdependent plug-ins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of the hacked websites to confirm this activity.
Two plugins have been hit by this attack. The first one is Elementor Pro, made by Elementor. This plugin has a zero-day vulnerability that can be exploited if users have an open record. The second affected plugin is Ultimate Addons for Elementor, produced by Brainstorm Force.
Elementor Pro is a paid plugin that is actually installed on over a million websites. It allows users to easily create WordPress sites.
Elementor Pro faces a remote code execution vulnerability that can be exploited by attackers with registered user access to download arbitrary files to target locations and execute code remotely.
Attackers have used a vulnerability to install backdoors or web shells to access compromised websites, gain full administrative access to compromise them, or even delete the entire website.
If the attackers do not register as users, they can exploit another vulnerability that affects the Ultimate Addons for Elementor WordPress plugin, which allows them to register as subscriber level users.
The Ultimate Addons for Elementor WordPress plugin is installed on over 110,000 websites. WordFence experts have determined that this question can be used on any website that uses the plugin, even if user registration is disabled.
Attackers could directly attack the Elementor Pro zero-day vulnerability on openly registered websites.
If user registration on a website is not enabled, an attacker may use the Ultimate Addons for Elementor vulnerability on unregistered websites to register as a subscriber. They then use the newly registered accounts to exploit Elementor Pro’s zero-day vulnerability and remote code execution.
WordPress site administrators can secure their installation by upgrading from Elementor Pro to version 2.9.4 and Ultimate Addons for Elementor to version 1.24.2 or later.
Wordfence has provided the following guidelines for the protection of WordPress sites:
– Check if there are unknown subscribers on your website. This may indicate that your website has been compromised as part of this active campaign. If this is the case, delete these accounts.
– Check the files named wp-xmlrpc.php. This may be considered a sign of compromise, so please check your website for evidence of this case.
– Delete an unknown file or folder in /wp content /downloads/item/user picture/. The files located here after the creation of an unauthorized account at subscriber level are a clear sign of compromise.
Vote for the security cases for the European Blogger Award on Cyber Security – VOTE FOR YOUR WINNERS
(Security issues – Elementor Pro, Hacking)