A critical vulnerability identified in The Plus Addons for Elementor WordPress plugin could be exploited to gain administrative privileges to a website. The zero-day has been exploited in the wild, the Wordfence team at WordPress security company Defiant warns.
With more than 30,000 installations to date, The Plus Addons for Elementor is a premium plugin that has been designed to add several widgets to be used with the popular WordPress website builder Elementor.
The identified issue, Wordfence explains, resides in one of the added widgets, which provides the ability to insert user login and registration forms to Elementor pages.
Because the functionality is not properly configured, an attacker can create a new administrative user account on the vulnerable site, or even to log in as an existing administrative user, the researchers reveal.
All users of The Plus Addons for Elementor plugin are advised to deactivate and remove the plugin until a fix has been delivered for this zero-day. All registration or login widgets added by the plugin should be removed, and registration on vulnerable sites disabled.
The researchers also note that the free version of the plugin, namely The Plus Addons for Elementor Lite, is not affected by the same vulnerability. Thus, users should switch to the free version instead, until the vulnerability is addressed.
“It should be noted that this vulnerability can still be exploited even if you do not have an active login or registration page that was created with the plugin. This means that any site running this plugin is vulnerable to compromise,” Wordfence says.
The researchers also note that the vulnerability is currently being actively exploited. Thus, no further details on the issue are being released for the time being.
“We believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled wpstaff. We strongly recommend checking your site for any unexpected administrative users or plugins you did not install,” Wordfence concludes.
The researchers have created a proof-of-concept and contacted the plugin’s developers, who are reportedly working on a patch.