Vulnerabilities in two plugins endanger a million of WordPress sites

This week we wrote that hackers attacked 900 thousand sites, and as it turned out that due to vulnerabilities in the two plug-ins, another million of WordPress sites are in danger.

Bugs can be used to remotely execute arbitrary code and completely compromise vulnerable sites.

Elementor Pro is a paid plugin with over 1,000,000 active installations. It helps users create their own WordPress-based websites with built-in theme and widget builders, as well as support custom CSS solutions.

“An Elementor Pro has detected an RCE issue that has received critical status. The bug allows cybercriminals with simple user access to upload arbitrary files to target sites, as well as remotely execute arbitrary code on them“, – write Wordfence researchers.

At the time the attacks began, this vulnerability was a 0-day problem.

Analysts write that attackers use this vulnerability to install backdoors and web shells (that is, provide themselves access to compromised sites), gain administrator privileges and completely transfer the resource under their control.

“To be clear, this does not impact the free Elementor plugin with over 4 million installations available from the WordPress plugin repository. The Elementor Pro plugin is a separate download available from the Elementor.com website. We estimate that Elementor Pro has over 1 million active installations”, — specify in Wordfence.

If hackers do not have user’s access to the resource, they can use the second vulnerability, affecting the Ultimate Addons for Elementor plugin installed on more than 110,000 sites.

A hole in this plugin will help attackers register as subscribers on any site where the plugin is running (even if use’s registration is disabled).

To protect against these attacks, Wordfence experts recommend that administrators upgrade Elementor Pro to version 2.9.4 as soon as possible, which eliminates the RCE vulnerability. Users of Ultimate Addons for Elementor, in turn, need to update the plugin to version 1.24.2 or later, where the problem with registering new users has been fixed.

Despite the fact that the vulnerabilities of wordpress plugins are already famous to experts, it seems that this week was marked with one of the most massive attacks on sites running this CMS.