Last week, security researchers at Seravo and WP Charged reported a critical zero-day vulnerability in The Plus Addons for Elementor on March 8, 2021. WPScan categorized it as an authentication bypass vulnerability:
The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
It’s important to note that this particular vulnerability affects users of the commercial version of The Plus Addons for Elementor, not the free version, and not core Elementor.
The plugin’s authors pushed out a partially patched version 4.1.6 after disclosure and then a second version 4.1.7 to more fully address the issue.
Wordfence is reporting that they are still blocking attempts on sites that are using unpatched. They have blocked 1900 site takeover attempts from a specific username, blocked 1170 attempts from a specific email, and blocked 4,000 attempts over the past week. Attackers are still targeting sites that have not updated to the patched version.
“Evidence suggests it had been actively exploited for ~5 days before that,” Wordfence threat analyst Chloe Chamberland said on the Wordfence Live show today. “Our earliest date of compromise was March 5th that we know of so far. There was a vulnerability for a few days that nobody really knew about except for this attacker who was going out and exploiting it.”
Those whose sites have been exploited have seen malicious admin accounts created. Others have experienced every URL on their sites redirecting, making it very difficult to clean. Attackers have also been installing malicious plugins called “WP Strongs” and “WP Staff.” Those who cannot access the admin dashboard will have a more difficult time removing these plugins.
Elementor users who have the Plus Addons plugin installed are advised to update to the latest version and check for malicious plugins and files. Ideally, site owners who were subject to exploits would have a backup to restore. Chamberland concluded the Wordfence Live broadcast today by walking users through manually cleaning up exploited sites, including replacing the wp-includes and wp-admin folders, along with standard files outside those directories. The recording might be helpful for those who are struggling to clean up the damage.