A massive attack campaign targeting two popular WordPress plugins – Elementor Pro and Ultimate Add-ons for Elementor has been identified. More than a million WordPress websites that have these plugins installed are a hot target. Since the zero-day exploit first came to light, plugin developers of Elementor and Ultimate Addons for Elementor hurried to patch the vulnerability. Both the plugins have received patches in their updated versions, which are :
- Elementor Pro: 2.9.4
- Ultimate Addons for Elementor: 1.24.2
Please update to these versions from any prior version you might have if you haven’t already.
Updated on 6th June 2020: Another critical stored XSS vulnerability was discovered in the Elementor Page Builder plugin. This vulnerability allows an author-level user to create custom links with possible malicious XSS payload and create custom attributes to widgets, which again becomes a stored XSS risk. Patch has been released in version 2.9.10. Please update to this version as soon as possible.
More about the hack…
A vulnerability in Elementor Pro allowed Remote Code Execution on WP websites with open registration. The vulnerability stems from file upload permissions given to a subscriber level user. A subscriber is allowed to upload icon sets (in zip format) on the site.
Since Elementor Pro also lacked a validation check, it allowed questionable extensions and content to be uploaded. So a hacker with a minimum level authentication is now able to upload a .zip file with executable malicious code. Once the code is executed, the attacker could do anything. From uploading a shell or malware to inserting a backdoor, adding fake users, gaining administrative access, modifying settings, to even deleting the complete website.
In the patch that Elementor Pro released, it has now added the following code to validate the file contents of the zip. So that only CSS, EOT, HTML, JSON, OTF, SVG, etc file formats are allowed to be uploaded.
They added another patch to only allow authorized users (with an access level of Administrators and Super-Administrators) to upload files. If a user with the role of subscriber tries to upload a zip, it will throw an error.
The Ultimate add-on plugin doesn’t lack file upload rules as such. However, it allows anyone to get subscriber-level access to a website. Even in the absence of an active registration form.
This vulnerability in the Ultimate Addons for Elementor provides ground to hackers, which lets them exploit the more critical RCE vulnerability in Elementor Pro. So even if a website does not host a registration form, an attacker can add himself as a subscriber, which is the minimum requirement to exploit the RCE vulnerability in Elementor Pro.
Here, we must mention that the vulnerability lies exclusively in Elementor Pro and users of Elementor free version are safe from the attack.
If you’re an Astra customer, you need not worry as Astra already blocks such file uploads. Just to be double sure, you can log in to your dashboard, navigate to Settings>>File Upload Rules, and see if the toggle key is already on.
If you want to block additional extensions, you can also add a file upload rule that deters all such malicious upload attempts.
All other users of Elementor Pro and Ultimate Add-on for Elementor are advised to update to the patched version. The patched versions, as I already mentioned are – 2.9.4 for Elementor Pro and 1.24.2 for Ultimate add-ons for Elementor.
If you have been hacked, you can get an immediate malware cleanup (takes under 4 hours) by Astra and restore your website to normalcy.
After ensuring the updates, also make sure to follow this WordPress security guide for enhanced security.