Updated: The Plus Addons for Elementor was fully patched in version 4.1.7 on March 9, 2021, closing the vulnerability and securing the plugin.
A Zero Day vulnerability has been discovered in the WordPress Plus Addons for Elementor, allowing a full-site takeover. Security researchers recommend immediately disabling the plugin to avoid being hacked.
The exploit is not present in Elementor itself but in a popular plugin that extends Elementor.
Zero Day Vulnerability
A zero day vulnerability is a flaw that hackers know about but for which the software developer does not have a patch. Normally, a vulnerability is discovered, and the developer has time to fix it before hackers exploit it. However, in a zero day vulnerability scenario, the flaw is actively being exploited while developers race to identify and patch it. This makes zero day vulnerabilities highly concerning as websites are at risk of being hacked before a patch is released.
The Plus Addons for Elementor Exploit
The Plus Addons for Elementor is a suite of over one hundred widgets, templates, and blocks that extends the design capabilities of sites using the Elementor page builder plugin.
Elementor is a page builder plugin that extends the native WordPress editor, simplifying the creation of attractive websites. The vulnerability, however, is not in Elementor but in a plugin that enhances Elementor’s design capabilities.
What is the Plus Addons for Elementor Vulnerability?
There are two versions of the Plus Addons for Elementor plugin: a free version and a paid version. The flaw does not exist in the free version, so those using the free version are safe. The paid version of the plugin, however, is unsafe.
Paid Version of Plus Addon is Vulnerable
According to security researchers at Wordfence, the registration and login widget modules in the plugin are the attack vector.
“If you are using The Plus Addons for Elementor plugin, we strongly recommend deactivating and removing the plugin entirely until this vulnerability is patched. If the free version meets your needs, you can switch to it temporarily.
If your site’s functionality depends on this plugin, we recommend removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.”
It was later discovered that disabling the WP Login & Register widget is insufficient to prevent being hacked.
“…the vulnerabilities are still exploitable even if the ‘WP Login & Register’ widget is disabled. For this reason, we recommend deactivating and removing the plugin until a patch is released.”
A Patch is in the Works – But Take Action Now
The plugin developer is working hard on creating a patch. Although an initial patch was swiftly released, Wordfence researchers confirmed it did not fully harden the plugin against the exploit.
Take Action Now
As mentioned above, Wordfence recommends deactivating and removing the plugin completely. If there are site functions dependent on the plugin, consider installing the free version temporarily until a patch is released. It may not be prudent to take a chance and wait for a patch since the flaw is actively being exploited.
Citation
Critical 0-day in The Plus Addons for Elementor Allows Site Takeover
