x32x01
  • by x32x01 ||
Elementor is one of the most popular WordPress plugin which is used to create attractive websites faster by instantly importing the layouts, templates and blocks.

A Zero Day Vulnerability has been discovered in popular WordPress Plugin for Elementor Page Builder (The Plus Addons for Elementor) that has over 30,000 installations.
30,000 Sites Is In RISK, The Plus Addons For Elementor WordPress Plugin Hacked
The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin/administrator) by just providing the related username, as well as create accounts with arbitrary roles, such as admin, subscriber, author etc. These issues can be exploited even if registration is disabled, and the Login widget is not active.

This vulnerability was reported on March 8, 2021 to WPScan by Seravo, a hosting company.

The same plugin is also available in Lite mode which is free and doesn’t appear to be vulnerable to this zero day vulnerability. The exploit is not present in Main Elementor plugin itself, it’s in a popular plugin that extends Elementor.

Security researcher Ville Korhonen from Seravo and Antony Booker from WP Charged recommend immediately disabling the plugin to avoid being hacked.
According to Wordfence security researchers, the registration and login widget modules of the plugin are the attack vector.

Update:
As of March 9th, 2021, the vulnerability is still not fully patched. The plugin developer released a partially patched version of the plugin (4.1.6) shortly after our disclosure, however, the update does not fully address the vulnerability.

As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure.
If you are using The Plus Addons for Elementor plugin, we strongly recommend that you should update the plugin as early as possible.
If your site’s functionality is dependent on old version of this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site.

About the Vulnerability:
  • Description: Privilege Escalation
  • Affected Plugin: The Plus Addons for Elementor
  • Plugin Slug: theplus_elementor_addon
  • Affected Versions: <= 4.1.6
  • CVE ID: 2021-24175
  • CVSS Score: 9.8 (Critical)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Fully Patched Version: 4.1.7
References: https://wpscan.com/vulnerability/c311feef-7041-4c21-9525-132b9bd32f89
 

Similar Threads

x32x01
Replies
0
Views
129
x32x01
x32x01
x32x01
Replies
0
Views
166
x32x01
x32x01
x32x01
Replies
0
Views
634
x32x01
x32x01
x32x01
  • x32x01
Replies
0
Views
258
x32x01
x32x01
x32x01
Replies
0
Views
233
x32x01
x32x01
TAGs: Tags
wordpress plugin

Register & Login Faster

Forgot your password?

Latest Resources

Forum Statistics

Threads
517
Messages
518
Members
45
Latest Member
Tacola
Back
Top