Attackers Continue to Exploit Vulnerabilities in The Plus Addons for Elementor Plugin – WP Tavern
Sarah Gooding
Last week, security researchers at Seravo and WP Charged reported a critical zero-day vulnerability in The Plus Addons for Elementor on March 8, 2021. WPScan categorized it as an authentication bypass vulnerability:
The plugin is being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.
It’s important to note that this particular vulnerability affects users of the commercial version of The Plus Addons for Elementor, not the free version, and not core Elementor.
The plugin’s authors pushed out a partially patched version 4.1.6 after disclosure and then a second version 4.1.7 to more fully address the issue.
Wordfence is reporting that they are still blocking attempts on sites that are using unpatched. They have blocked 1900 site takeover attempts from a specific username, blocked 1170 attempts from a specific email, and blocked 4,000 attempts over the past week. Attackers are still targeting sites that have not updated to the patched version.
“Evidence suggests it had been actively exploited for ~5 days before that,” Wordfence threat analyst Chloe Chamberland said on the Wordfence Live show today. “Our earliest date of compromise was March 5th that we know of so far. There was a vulnerability for a few days that nobody really knew about except for this attacker who was going out and exploiting it.”
Those whose sites have been exploited have seen malicious admin accounts created. Others have experienced every URL on their sites redirecting, making it very difficult to clean. Attackers have also been installing malicious plugins called “WP Strongs” and “WP Staff.” Those who cannot access the admin dashboard will have a more difficult time removing these plugins.
Elementor users who have the Plus Addons plugin installed are advised to update to the latest version and check for malicious plugins and files. Ideally, site owners who were subject to exploits would have a backup to restore. Chamberland concluded the Wordfence Live broadcast today by walking users through manually cleaning up exploited sites, including replacing the wp-includes and wp-admin folders, along with standard files outside those directories. The recording might be helpful for those who are struggling to clean up the damage.
Anyone affected by this hack and hosts using cPanel, please check your autoresponders in cPanel. While cleaning up the client’s website, we noticed malicious autoresponders were created. The body of the email contained the same malicious JavaScript as infected files. You might not be able to delete them using cPanel UI, so you need to use File Manager and delete them manually inside the .autorespond directory. This is a nasty hack.
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
WordPress Tavern is a website about all things WordPress. We cover news and events, write plugin and theme reviews, and talk about key issues within the WordPress ecosystem…
© All Rights Reserved. Powered by WordPress, hosted by Pressable
source