Zero-Day Vulnerability in The Plus Addons for Elementor Plugin Puts Over 20,000 Websites at Risk

An extremely critical zero-day vulnerability has been patched in the premium plugin – The Plus Addons for Elementor (Version 4.1.7) today on March 10, 2021. The Plus Addons for Elementor facilitates users to add a user login/registration form on their Elementor pages. The vulnerability allows anyone to create new admin users in all WordPress websites with the plugin installed (version <=4.1.6). The flaw also enables hackers to log in as current administrative users and hijack the website. Keeping in mind the severity of the vulnerability and the active exploits, the plugin developers released a patch today in the latest version of The Plus Addons for Elementor – version 4.1.7.

We hereby encourage all users of The Plus Addons for Elementor to update to version 4.1.7 immediately to be safe.

Users on the free version of the plugin are not vulnerable and are safe from the hack.

If you’re an Astra Security user, you are also well-protected from the compromise.

Indicators of compromise

Since the vulnerability is being actively exploited it is suggested to check if your website has already been hacked or not before you update the plugin.

These are some of the hack symptoms that have been identified so far in this case:

  • Unknown plugins added. Malicious plugins by the name wp-strong and wpstaff have been seen on hacked websites.
  • Unknown admin users added. Some email addresses have been identified to be associated with the hack. They are: [jaredaracccc@gmail.com] and [trainwordpressai@site.com]. This can be a starting point to detect compromisation on your website.
  • Malicious JavaScript injected and other files modified.

At Astra, we are already tracking a rise in WordPress redirection hack cases though we’re still determining if it’s related to this vulnerability. Although the possibility can not be entirely ruled out.

What can you do in case of zero-day vulnerability in The Plus Addons for Elementor Plugin?

If you are hacked, follow these step to get rid of the hack:

  • Restore an unaffected backup from before. If you do not have a clean backup in possession, follow the below steps.
  • Take a complete backup of your current files and database.
  • Scan your website with a malware scanner.
  • Check all installed plugins on your website for unfamiliar additions. Log in to your WP admin panel. Go to ‘Plugins>Installed plugins‘ and review the list.
  • Review your admin users. To do this, log in to your WP admin panel, go to ‘Users‘ and check all the recent additions and their respective permissions. In the ongoing exploit, hackers are adding user accounts with usernames as the registered email address. Check for user accounts with emails – jaredaracccc@gmail.com and trainwordpressai@site.com.
  • Check for modifications in other files and folders.

For next steps, follow this detailed WordPress hack removal guide.

For quick recovery, sign up for our immediate malware removal plan and our expert security team will clean your website in less than 4 hours.

Secure your WordPress website before hackers try to hack it!

Astra Website Protection has helped thousands of WordPress sites prevent cyberattacks.


A critical zero-day vulnerability followed by an exploit is going on in WordPress websites using The Plus Addons for Elementor plugin. Users on the premium plan are affected. All users are requested to update to the patched version of the plugin – version 4.1.7.

Categories: Plugin Exploit
Aakanchha Keshri: Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.