UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure. Special thanks to the plugin developers for working as quickly as possible to resolve these issues.
UPDATE 1: As of March 9th, 2021, the vulnerability is still not fully patched. The plugin developer released a partially patched version of the plugin (4.1.6) shortly after our disclosure, however, the update does not fully address the vulnerability. We are in contact with the developer and they are working quickly on the additional fixes required, we expect a new patch will be released shortly. We will update this post once a fully sufficient patch has been released.
Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.
The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit.
Wordfence Premium customers received a rule on March 8, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive protection on April 7, 2021.
If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being. If your site’s functionality is dependent on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.
Description: Privilege Escalation
Affected Plugin: The Plus Addons for Elementor
Plugin Slug: theplus_elementor_addon
Affected Versions: <= 4.1.6
CVE ID: 2021-24175
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 4.1.7
“The Plus Addons for Elementor” is a plugin designed to add several additional widgets to be used alongside Elementor. One of these widgets added the ability to add a user login and registration form to an Elementor page. Unfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user.
It should be noted that this vulnerability can still be exploited even if you do not have an active login or registration page that was created with the plugin. This means that any site running this plugin is vulnerable to compromise.
At this time, we are releasing very minimal details due to this being an actively exploited vulnerability. We may decide to release more details in the future, but in the meantime we recommend you take appropriate measures to secure your site.
Indicators of Compromise
At this time, we have very limited indicators of compromise. However, we believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled wpstaff. We strongly recommend checking your site for any unexpected administrative users or plugins you did not install.
We will update this section as we learn more.
Response timeline
March 8th, 2021 8:55 AM UTC – New vulnerability entry in WPScan reporting 0-day vulnerability in the The Plus Addons for Elementor plugin.
March 8th, 2021 1:32 PM UTC – Wordfence Threat Intelligence is alerted to the new vulnerability report and begins to triage the vulnerability.
March 8th, 2021 2:08 PM UTC – We verify the existence of the vulnerability and create a proof of concept.
March 8th, 2021 2:20 PM UTC – We create and begin testing a firewall rule to protect against the vulnerability.
March 8th, 2021 2:25 PM UTC – We reach out to the plugin developer to make sure that they are aware of the vulnerability and offer to provide details if required.
March 8th, 2021 2:50 PM UTC – The firewall rule is deployed to premium users.
April 7th, 2021 – Wordfence Free users receive the firewall rule.
Conclusion
In today’s post, we detailed a zero-day vulnerability being actively exploited in The Plus Addons for Elementor, a plugin that allows unauthenticated attackers to escalate their privileges on a vulnerable WordPress installation. This can be used to completely take over a WordPress site. This vulnerability currently remains unpatched as of this morning and, therefore, we strongly recommend deactivating and removing the plugin until a patch has been released.
Wordfence Premium customers received a rule on March 8, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive protection on April 7, 2021.
Please forward and share this post widely so that those using this vulnerable plugin can take fast action to protect their sites as this zero-day vulnerability is currently being exploited in the wild.
Special thanks to Ramuel Gall, Wordfence Threat Analyst and QA Engineer, and Kathy Zant, Wordfence’s Director of Marketing, for their contributions to this post and research pertaining to the vulnerability.