The security hole in the Plus Addons for Elementor plugin was used in active zero-day attacks prior to a patch being issued.
The Plus Addons for Elementor plugin for WordPress has a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said it’s being actively attacked in the wild.
The plugin, which has more than 30,000 active installations according to its developer, allows site owners to create various user-facing widgets for their websites, including user logins and registration forms that can be added to an Elementor page. Elementor is a site-building tool for WordPress.
The bug (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in this registration form function of the Plus Addons for Elementor. It rates 9.8 on the CVSS vulnerability scale, making it critical in severity.
“Unfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user,” according to researchers at Wordfence, in a posting this week. They added that it arises from broken session management, but didn’t provide further technical details.
Exploited as a Zero-Day Bug
The bug was first reported to WPScan by Seravo, a web-hosting company, as a zero-day under active attack by cybercriminals.
“The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin,” according to WPScan’s overview.
As for how cybercriminals are using the exploit in the wild, Wordfence noted that indicators of compromise point to attackers creating privileged accounts and then using them to further compromise the site.
“We believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled ‘wpstaff,’” researchers said.
Worryingly, they added that the vulnerability can still be exploited even if there’s no active login or registration page that was created with the plugin, and even if registration and logins are suspended or disabled.
“This means that any site running this plugin is vulnerable to compromise,” according to the Wordfence posting.
How to Fix the Plus Addons for Elementor Security Vulnerability
The vulnerability was reported on Monday, and fully patched a day later. Site admins should upgrade to version 4.1.7 of The Plus Addons for Elementor to avoid compromise, and they should check for “any unexpected administrative users or plugins you did not install,” according to Wordfence. The Plus Addons for Elementor Lite does not contain the same vulnerability, the firm added.
“If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched,” researchers said. “If the free version will suffice for your needs, you can switch to that version for the time being.”
WordPress Plugin Problems Persist
WordPress plugins continue to offer an attractive avenue of attack for cybercriminals.
In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
And in February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: