WordFence is reporting that Elementor Pro has a critical zero-day vulnerability exploit. This vulnerability has just been patched today, May 7, 2020. Unpatched versions are reportedly being actively exploited.
Elementor has released Pro version 2.9.4, which contains the fix for this critical file upload vulnerability.
## Two Elementor Plugins Are Vulnerable
According to WordFence, there are two plugins involved, each with its own vulnerability.
### Elementor Pro is a Vulnerable Plugin
Elementor Pro is the paid version of the Elementor WordPress page builder plugin. This vulnerability does not affect the free version of the Elementor plugin. The vulnerability is rated as “critical” according to WordFence.
A hacker would need to be registered with the website to take advantage of the vulnerability. If your website running on Elementor Pro allows site visitors to register in order to comment or contribute, then it may be vulnerable. Even if your Elementor Pro WordPress site does not have registered users, you may still be at risk.
This is because another plugin, Ultimate Addons for Elementor, allows a hacker to register as a subscriber even if registration is prohibited. This means that the Ultimate Addons for Elementor plugin can enable a hacker to exploit the Elementor Pro vulnerability.
According to WordFence:
> “Due to the vulnerability being unpatched at this time, we are excluding any further information. We have data via another vendor indicating that the Elementor team is working on a patch. We have contacted Elementor but did not immediately receive confirmation of this before publication.”
### Ultimate Addons for Elementor Vulnerability
The second vulnerable plugin is the Ultimate Addons for Elementor. It allows a hacker to exploit the Elementor Pro vulnerability even if user registration is turned off.
At this moment, a newly released patch is available to fix the Elementor Pro vulnerability. Update Elementor Pro to version 2.9.4 to be protected.
There is also a patch to fix the Ultimate Addons for Elementor plugin. By upgrading the Ultimate Addons plugin (if you have it installed) you can theoretically block a hacker from exploiting an Elementor Pro site, as long as user registrations are prohibited.
## How to Protect Your Elementor Pro Website
WordFence recommends updating Elementor Pro to version 2.9.4. Once Elementor Pro is updated, you will be safe from hacking.
Read the WordFence announcement: Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk.
### More Resources
– GoDaddy Hosting Breach Undetected for 6 Months
– How Does Website Security Affect Your SEO?
– HTTP or HTTPS? Why You Need a Secure Site
