An extremely critical zero-day vulnerability has been patched in the premium plugin – The Plus Addons for Elementor (Version 4.1.7) today on March 10, 2021. The Plus Addons for Elementor facilitates users to add a user login/registration form on their Elementor pages. The vulnerability allows anyone to create new admin users in all WordPress websites with the plugin installed (version <=4.1.6). The flaw also enables hackers to log in as current administrative users and hijack the website. Keeping in mind the severity of the vulnerability and the active exploits, the plugin developers released a patch today in the latest version of The Plus Addons for Elementor – version 4.1.7.
We hereby encourage all users of The Plus Addons for Elementor to update to version 4.1.7 immediately to be safe.
Users on the free version of the plugin are not vulnerable and are safe from the hack.
If you’re an Astra Security user, you are also well-protected from the compromise.
Indicators of compromise
Since the vulnerability is being actively exploited it is suggested to check if your website has already been hacked or not before you update the plugin.
These are some of the hack symptoms that have been identified so far in this case:
- Unknown plugins added. Malicious plugins by the name wp-strong and
wpstaff
have been seen on hacked websites. - Unknown admin users added. Some email addresses have been identified to be associated with the hack. They are: [jaredaracccc@gmail.com] and [trainwordpressai@site.com]. This can be a starting point to detect compromisation on your website.
- Malicious JavaScript injected and other files modified.
At Astra, we are already tracking a rise in WordPress redirection hack cases though we’re still determining if it’s related to this vulnerability. Although the possibility can not be entirely ruled out.
What can you do in case of zero-day vulnerability in The Plus Addons for Elementor Plugin?
If you are hacked, follow these step to get rid of the hack:
- Restore an unaffected backup from before. If you do not have a clean backup in possession, follow the below steps.
- Take a complete backup of your current files and database.
- Scan your website with a malware scanner.
- Check all installed plugins on your website for unfamiliar additions. Log in to your WP admin panel. Go to ‘Plugins>Installed plugins‘ and review the list.
- Review your admin users. To do this, log in to your WP admin panel, go to ‘Users‘ and check all the recent additions and their respective permissions. In the ongoing exploit, hackers are adding user accounts with usernames as the registered email address. Check for user accounts with emails – jaredaracccc@gmail.com and trainwordpressai@site.com.
- Check for modifications in other files and folders.
For next steps, follow this detailed WordPress hack removal guide.
For quick recovery, sign up for our immediate malware removal plan and our expert security team will clean your website in less than 4 hours.
Conclusion
A critical zero-day vulnerability followed by an exploit is going on in WordPress websites using The Plus Addons for Elementor plugin. Users on the premium plan are affected. All users are requested to update to the patched version of the plugin – version 4.1.7.