Hackers Combine Elementor Pro Vulnerabilities to Take Over WordPress Sites

WordFence Threat Intelligence team was on May 6, was alerted to a zero-day vulnerability present in Elementor Pro, a WordPress plugin installed on approximately 1 million sites.

We have published this short security update on this WordPress blog security series for the benefit of our readers.

Ultimate Addons for Elementor plugin is developed by Brainstorm Force. It is an extension to Elementor, providing many additional widgets to use with Elementor.

The vulnerability was being exploited in tandem with another vulnerability found in Ultimate Addons for Elementor, a WordPress plugin installed on approximately 110,000 sites.

WordFence immediately released a firewall rule to protect its Premium users and contacted Elementor about the vulnerability, and also publicly notified the community of the vulnerability to help protect users from being compromised.

The Exploit

One of the widgets adds a registration form, called the “User Registration Form” to any page. This is an easily customizable registration form that can be placed anywhere on the site. Unfortunately, there was a flaw in the functionality of this form that allowed for users to register even when registration was disabled, and even if the form widget was not actively in use on the site.

Thus there existed some missing checks that made it possible for attackers to bypass the user registration settings on a WordPress site. Fortunately, Brainstorm Force added checks in the latest version to verify both that user registration is enabled and that the widget is active.

Combined, these flaws made it possible for attackers to register as a subscriber on any vulnerable site and potentially use that access to pivot and exploit vulnerabilities that required subscriber level access. This is precisely what we saw being exploited in the case of the Elementor Pro vulnerability.

Special thanks to Ramuel Gall for his research contributions on this vulnerability.

Also three flaws made it possible for attackers to upload arbitrary files by creating a Fontello, IcoMoon, or Fontastic icon .zip file, extracting that file, injecting arbitrary files of their choice to the folder, re-compressing the .zip file and uploading it to the site via the AJAX action.

Good news!, Vulnerability Patched

Elementor quickly released an update for Elementor Pro the same day the notice was published on the Wordfence blog.

Website owners who have not yet updated to the latest versions of these plugins are thus urged to do so immediately. For Elementor Pro, that is version 2.9.4 and in Ultimate Addons for Elementor, that is version 1.24.2.

Read more from the WordFence blog

Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 152 other subscribers

%d bloggers like this: