Table of Contents

    Elementor Plugin Vulnerabilities And Their Impact On WordPress Sites

    WordPress (WP) security company Defiant recently warned users about a major security flaw in the Elementor Pro plugin. This threat was categorized as a zero-day vulnerability, as no patch was made available to users until May 7th, 2020.

    Elementor is a popular drag-and-drop page builder that has an estimated one million WP installations. While the free version seems stable, security loopholes were spotted on the Elementor Pro - the paid version of this plugin. 

    The first instance of attacks were noticed by the developers on May 6th, 2020 which were actively exploited in conjunction to another vulnerability found on the Ultimate Addons for Elementor plugin.

    The vulnerability allows hackers to run remote  scripts on Elementor-powered WP sites with the aim of stealing admin credentials or taking over the website. An update patch has already been released (Elementor Pro 2.9.4) to fix the problem, and all users are requested to immediately update the plugin.

    About The Critical Zero-Day Vulnerability

    WordFence, a WP security company reported that Elementor Pro has a critical zero-day vulnerability that has put almost a million websites at risk. The Common Vulnerability Scoring System (CVSS) released the details of the threat based on their identification keys and scores.

    Simply put, if you run a WP website powered by the Elementor Pro plugin and allow users to register to your website for commenting and contributing, your website might be prone to attacks. The problem is  more deep-rooted than it seems. As it has almost 50 additional widgets and is used by over a million websites, this zero-day threat stirs up immediate security concerns.

    This vulnerability got a CVSS threat score of 9.9/10 because it can be exploited to upload files and execute codes remotely once the hacker registers on the website. They can use the upload option to install a webshell or a backdoor which can help take over administrative access, place ransomware, or even delete the site completely.

    Another Vulnerable Plugin: The Ultimate Addons Tool

    This is an extension which offers multiple widgets. Of these available widgets, one is used to add registration forms on any WordPress sites, irrespective of the fact that the site doesn’t use Elementor. 

    The flaw that came to light is that even if this feature was disabled by the site owner, or the widget wasn’t used actively on the sites, any user could register on the website. Although the form used nopriv and usual AJAX functions to provide the functionality, the loophole was said to be with the verification or alternative checks of the registered users. 

    Hackers were scraping the source code of the websites to register fake accounts in order to create backdoor entry points and webshells. Once registered, hackers started performing a series of subsequent sub-level attacks. CVSS rated it a 7.2/10, thus underlining the gravity of this threat.

    How To Keep Safe

    Once these threats were reported to the developers, they immediately released update patches to fix the vulnerabilities. As of the time of writing, every website owner using Elementor Pro is urged to update their plugin to the latest version 2.9.4 to keep their websites protected. Even if you’re using the free version, you must update the plugin to version 2.8.5 from your Admin Panel.

    Another patch update has also been released to fix the loophole in the Ultimate Addons plugin. In general, a good way to prevent these attacks on your site is by disabling user registration unless it’s required.

    Keeping Up With The Release Of New Threats

    To secure your WordPress-powered sites and keep tabs on security patches and new threats, it’s important to regularly update the core code. 

    WordPress releases new updates frequently and you must allow auto-updates via your Admin dashboard.

    You can also use detection and prevention tools like WordFence, maintain complex passwords, and remove repository, git, or subversion files from public access. Additionally, subscribe to the newsletters and notifications from the International Institute of Cyber Security (IICS) to stay abreast of the latest developments and zero-day vulnerabilities.

    Bottom Line

    There is no way of knowing when a security loophole can be exploited. Hence, the best way to protect your site is to stay updated on what’s happening in the cybersecurity world. Keep all of plugins, themes, and core PHP modules updated. Use complex passwords and prohibit user registration on your site unless it’s an absolute requirement.