Wordfence Experts warnedthat on May 6, hackers began to exploit critical vulnerabilities in the WordPress plugins Elementor Pro and Ultimate Addons for Elementor. Bugs can be used to remotely execute arbitrary code and completely compromise vulnerable sites.
Elementor Pro is a paid plugin with over 1,000,000 active installations. It helps users create their own WordPress-based sites using the built-in theme and widget builders, as well as support for custom CSS solutions.
An Elementor Pro has detected an RCE problem that has received critical status. The bug allows cybercriminals with access at the simple user level to upload arbitrary files to target sites, as well as remotely execute arbitrary code on them. At the time the attacks began, this vulnerability was a 0-day problem.
Analysts write that attackers use this vulnerability to install backdoors and web shells (that is, provide themselves access to compromised sites), gain administrator privileges and completely transfer the resource under their control. A.
If hackers do not have user access to the resource, they can use the second vulnerability affecting the Ultimate Addons for Elementor plugin installed on more than 110,000 sites. A hole in this plugin will help attackers register as subscribers on any site where the plugin is running (even if user registration is disabled).
To protect against these attacks, Wordfence experts recommend that administrators upgrade Elementor Pro to version 2.9.4 as soon as possible, which eliminates the RCE vulnerability. Users of Ultimate Addons for Elementor, in turn, need to update the plugin to version 1.24.2 or later, where the problem with registering new users has been fixed.