Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled.

The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit.

Wordfence Premium customers received a rule on March 8, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive protection on April 7, 2021.

If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being. If your site’s functionality is dependent on this plugin, we recommend disabling user registration on your site. No patched version is available at the time of this publication.

Description: Privilege Escalation
Affected Plugin: The Plus Addons for Elementor
Plugin Slug: theplus_elementor_addon
Affected Versions: <= 4.1.5
CVE ID: 2021-24175
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: Currently unpatched.

The `The Plus Addons for Elementor` plugin is designed to add several additional widgets to be used alongside Elementor. One of these widgets added the ability to add a user login and registration form to an Elementor page. Unfortunately, this functionality was improperly configured and allowed attackers to register as administrator users.

It should be noted that this vulnerability can only be exploited if you have user registration enabled on your site, and if you have an active login or registration page that was created with the `The Plus Addons for Elementor` plugin.

At this time, we are releasing very minimal details due to this being an actively exploited vulnerability. We may decide to release more details in the future, but in the meantime we recommend you take appropriate measures to secure your site.

Indicators of Compromise

At this time, we have very limited indicators of compromise. However, we believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and potentially installing a malicious plugin. We strongly recommend checking your site for any unexpected administrative users or plugins you did not install.

We will update this section as we learn more.

Response timeline

March 8th, 2021 8:55 AM UTC – New vulnerability entry in WPScan reporting 0-day vulnerability in the The Plus Addons for Elementor plugin.
March 8th, 2021 1:32 PM UTC – Wordfence Threat Intelligence is alerted to the new vulnerability report and begins to triage the vulnerability.
March 8th, 2021 2:08 PM UTC – We verify the existence of the vulnerability and create a proof of concept.
March 8th, 2021 2:20 PM UTC – We create and begin testing a firewall rule to protect against the vulnerability.
March 8th, 2021 2:25 PM UTC – We reach out to the plugin developer to make sure that they are aware of the vulnerability and offer to provide details if required.
March 8th, 2021 2:50 PM UTC – The firewall rule is deployed to premium users.
April 7th, 2021 – Wordfence Free users receive the firewall rule.

Conclusion

In today’s post, we detailed a zero-day vulnerability being actively exploited in The Plus Addons for Elementor, a plugin that allows unauthenticated attackers to escalate their privileges on a vulnerable WordPress installation. This can be used to completely take over a WordPress site. This vulnerability currently remains unpatched as of this morning and, therefore, we strongly recommend deactivating and removing the plugin until a patch has been released.

Wordfence Premium customers received a rule on March 8, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive protection on April 7, 2021.

Please forward and share this post widely so that those using this vulnerable plugin can take fast action to protect their sites as this zero-day vulnerability is currently being exploited in the wild.

Special thanks to Ramuel Gall, Wordfence Threat Analyst and QA Engineer, and Kathy Zant, Wordfence’s Director of Marketing, for their contributions to this post and research pertaining to the vulnerability. 

The post Critical 0-day in The Plus Addons for Elementor Allows Site Takeover appeared first on Wordfence.