Plugin Exploit

Elementor Pro and Ultimate Addons For Elementor Under Attack: Update Quickly

Updated on: June 7, 2020

Elementor Pro and Ultimate Addons For Elementor Under Attack: Update Quickly

A massive attack campaign targeting two popular WordPress plugins – Elementor Pro and Ultimate Add-ons for Elementor has been identified. More than a million WordPress websites that have these plugins installed are a hot target. Since the zero-day exploit first came to light, plugin developers of Elementor and Ultimate Addons for Elementor hurried to patch the vulnerability. Both the plugins have received patches in their updated versions, which are :

  • Elementor Pro: 2.9.4
  • Ultimate Addons for Elementor: 1.24.2

Please update to these versions from any prior version you might have if you haven’t already.

Updated on 6th June 2020: Another critical stored XSS vulnerability was discovered in the Elementor Page Builder plugin. This vulnerability allows an author-level user to create custom links with possible malicious XSS payload and create custom attributes to widgets, which again becomes a stored XSS risk. Patch has been released in version 2.9.10. Please update to this version as soon as possible.

More about the hack…

A vulnerability in Elementor Pro allowed Remote Code Execution on WP websites with open registration. The vulnerability stems from file upload permissions given to a subscriber level user. A subscriber is allowed to upload icon sets (in zip format) on the site.

Since Elementor Pro also lacked a validation check, it allowed questionable extensions and content to be uploaded. So a hacker with a minimum level authentication is now able to upload a .zip file with executable malicious code. Once the code is executed, the attacker could do anything. From uploading a shell or malware to inserting a backdoor, adding fake users, gaining administrative access, modifying settings, to even deleting the complete website.

In the patch that Elementor Pro released, it has now added the following code to validate the file contents of the zip. So that only CSS, EOT, HTML, JSON, OTF, SVG, etc file formats are allowed to be uploaded.

Arbitrary file upload patched in Elementor Pro

They added another patch to only allow authorized users (with an access level of Administrators and Super-Administrators) to upload files. If a user with the role of subscriber tries to upload a zip, it will throw an error.

User permission patched in Elementor Pro

The Ultimate add-on plugin doesn’t lack file upload rules as such. However, it allows anyone to get subscriber-level access to a website. Even in the absence of an active registration form.

This vulnerability in the Ultimate Addons for Elementor provides ground to hackers, which lets them exploit the more critical RCE vulnerability in Elementor Pro. So even if a website does not host a registration form, an attacker can add himself as a subscriber, which is the minimum requirement to exploit the RCE vulnerability in Elementor Pro.

Here, we must mention that the vulnerability lies exclusively in Elementor Pro and users of Elementor free version are safe from the attack.

Damage Control!

If you’re an Astra customer, you need not worry as Astra already blocks such file uploads. Just to be double sure, you can log in to your dashboard, navigate to Settings>>File Upload Rules, and see if the toggle key is already on.

File Upload Rules in Astra

If you want to block additional extensions, you can also add a file upload rule that deters all such malicious upload attempts.

Configure your File upload rules with Astra

All other users of Elementor Pro and Ultimate Add-on for Elementor are advised to update to the patched version. The patched versions, as I already mentioned are – 2.9.4 for Elementor Pro and 1.24.2 for Ultimate add-ons for Elementor.

If you have been hacked, you can get an immediate malware cleanup (takes under 4 hours) by Astra and restore your website to normalcy.

After ensuring the updates, also make sure to follow this WordPress security guide for enhanced security.

Was this post helpful?

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany