A Zero Day vulnerability has been discovered in the WordPress Plus Addons for Elementor. The exploit allows a full-site takeover. Security researchers recommend immediately disabling the plugin to avoid being hacked.
The exploit is not present in Elementor itself, it’s in a popular plugin that extends Elementor.
Zero Day Vulnerability
A zero day vulnerability is a vulnerability that hackers know about but for which the software developer does not have a patch to stop it.
Normally a vulnerability is discovered and the software developer has time to fix it before the flaw is discovered by hackers.
In a typical zero day vulnerability scenario the flaw is known and actively being exploited by hackers while the software developers are racing to discover what the exploit is.
This is why zero day vulnerabilities are considered to be of high concern because websites are liable to be hacked in the time between the vulnerability is discovered and a patch is released.
The Plus Addons for Elementor Exploit
The Plus Addons for Elementor is a suite of over one hundred widgets, templates and blocks that extends the design possibilities for sites that use the Elementor page builder plugin.
Elementor is a page builder plugin that extends the native WordPress editor to make it easier to create attractive websites.
The vulnerability is not on Elementor though. The vulnerability exists on a plugin that extends the design capabilities of Elementor.
What is the Plus Addons for Elementor Vulnerability?
There are two kinds of Plus Addons for Elementor plugins. There’s a free version and a paid version.
The flaw does not exist in the free version. So if you’re operating with the free version of the addon, then your site is safe.
The paid version of the plugin is unsafe.
Paid Version of Plus Addon is Vulnerable
According to Wordfence security researchers, the registration and login widget modules of the plugin are the attack vector.
“If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being.
If your site’s functionality is dependent on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.”
It was later discovered that disabling the WP Login & Register widget is not enough to prevent being hacked.
“…the vulnerabilities are still exploitable even if the “WP Login & Register” widget is disabled. For that reason, we recommend temporarily deactivating and removing the plugin until a patch has been released.”
A Patch is in the Works – But Take Action Now
The plugin developer is hard at work creating a patch. An initial patch was swiftly released but WordFence researchers confirmed that it did not fully harden the plugin against the exploit.
Take Action Now
As related above, Wordfence recommends completely deactivating and removing the plugin. If there are site functions that depend on the plugin, it’s possible to install the free version temporarily until a patch is published.
It may not be prudent to take a chance and wait for a patch because the flaw is actively being exploited.