WordPress plugin vulnerabilities affect more than 1 million websites

A new finding has been revealed affecting WordPress site administrators. According to WordFence pentesting course specialists, the Elementor Pro plugin contains a critical zero-day vulnerability. Although the patch to fix this bug has just been released, it is important to spread the word about it, as the un-updated versions are being actively exploited. 

Elementor Pro is the premium version of the popular Content Management System (CMS) page generator plugin. It should be noted that the vulnerability is not present in the free version of Elementor. According to the team in charge of the find, the flaw is considered critical.

Apparently, all threat actors require to exploit this vulnerability is to register on the target website, mention the experts of the pentesting course. If administrators run a WordPress website with Elementor Pro and allow site visitors to register for comments, the site might be exposed.  

However, the report ensures that websites may be exposed even if they do not have registered users. This is due to the existence of another vulnerable plugin; the Ultimate Addons tool for Elementor Pro contains a vulnerability that would allow a threat actor to register as a website subscriber, even if this feature is not enabled. In other words, the flaw in Ultimate Addons allows threat actors to hack Elementor Pro.

In their report, pentesting course experts stated: “Because the vulnerability has not been corrected at this time, we are excluding any additional information. We have data that indicates that the Elementor team is working on a patch.”

Regarding the ultimate Addons flaw, the vulnerability allows a hacker to take advantage of the Elementor Pro vulnerability if user registration is disabled. At this point there is already a recently released patch available to fix the Elementor Pro vulnerability. We recommend that you upgrade Elementor Pro to version 2.9.4 to be protected. There is also a patch to fix the ultimate plugins for the Elementor plugin.

By updating the Ultimate Addons plugin, you can in theory prevent a hacker from exploiting an Elementor Pro site, as long as user registrations are prohibited.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.