Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk
On May 6, 2020, our Threat Intelligence team received reports of active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of compromised sites to confirm this activity.
As this is an active attack, we wanted to alert you so that you can take steps to protect your site. We are intentionally limiting the amount of information this post provides, because this is an ongoing attack, and the most critical vulnerability has not yet been patched.
We have released a firewall rule which protects Wordfence Premium users against exploitation of this vulnerability. Free Wordfence users will be protected against this vulnerability after 30 days, on June 5, 2020.
Which plugins are affected by this attack
There are two plugins affected by this attack campaign. The first is Elementor Pro which is made by Elementor. This plugin has a zero day vulnerability which is exploitable if users have open registration.
UPDATE: As of 4:22 PM UTC today, May 7 2020, Elementor has released version 2.9.4 of Elementor Pro. Our threat intelligence team has verified that this patches this vulnerability. We recommend updating to this version immediately.
The second affected plugin is Ultimate Addons for Elementor, which is made by Brainstorm Force. A vulnerability in this plugin allows the Elementor Pro vulnerability to be exploited, even if the site does not have user registration enabled.
We estimate that Elementor Pro is installed on over 1 million sites and that Ultimate Addons has an install base of roughly 110,000.
Affected Plugin: Elementor Pro
Plugin Slug: elementor-pro
Affected Versions: <= 2.9.3
CVE ID: CVE-2020-13126
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 2.9.4
To be clear, this does not impact the free Elementor plugin with over 4 million installations available from the WordPress plugin repository. The Elementor Pro plugin is a separate download available from the Elementor.com website. We estimate that Elementor Pro has over 1 million active installations.
The vulnerability in Elementor Pro, which is rated Critical in severity, allows registered users to upload arbitrary files leading to Remote Code Execution. This is a zero day vulnerability.
An attacker able to remotely execute code on your site can install a backdoor or webshell to maintain access, gain full administrative access to WordPress, or even delete your site entirely. Due to the vulnerability being unpatched at this time, we are excluding any further information.
We have data via another vendor that indicates the Elementor team are working on a patch. We have contacted Elementor and did not immediately receive confirmation of this before publication.
Ultimate Addons for Elementor
Affected Plugin: Ultimate Addons for Elementor
Plugin Slug: ultimate-elementor
Affected Versions: <= 1.24.1
CVE ID: CVE-2020-13125
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 1.24.2
The Ultimate Addons for Elementor plugin recently patched a vulnerability in version 1.24.2 that allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site.
Two vulnerabilities being used in concert to attack sites
Attackers are able to directly target the zero day vulnerability in Elementor Pro on sites with open user registration.
In cases where a site does not have user registration enabled, attackers are using the Ultimate Addons for Elementor vulnerability on unpatched sites to register as a subscriber. Then they proceed to use the newly registered accounts to exploit the Elementor Pro zero day vulnerability and achieve remote code execution.
What you should do
If you are using Wordfence Premium, your site has received a firewall rule to protect you against this active attack.
There are a number of steps a site owner not using Wordfence Premium can take to protect their site from this active attack.
Upgrade Ultimate Addons for Elementor immediately. Make sure Ultimate Addons for Elementor is version 1.24.2 or greater.
Downgrade to Elementor free until a patch is released for Elementor Pro. You can do so by deactivating Elementor Pro and removing it from your site. This will remove the file upload vulnerability.
Once a patch is released, you can re-install the patched version of Elementor Pro on your site and regain any lost functionality. You may temporarily lose some design elements once downgraded, but in our tests these elements came back when reinstalling Elementor Pro. Nevertheless, a backup prior to downgrading is always prudent.
Tip: If you need a list of where you have Elementor Pro installed, you can login to your account on Elementor.com and go to “Purchases” then “View Websites” for a full list where Elementor Pro is installed with that license.
UPDATE: As of 4:22 PM UTC today, May 7 2020, Elementor has released version 2.9.4 of Elementor Pro. Our threat intelligence team has verified that this patches this vulnerability. You no longer need to downgrade to keep your site safe as of this time. Instead, we recommend updating to version 2.9.4 immediately.
Check for any unknown subscriber-level users on your site. This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts.
Check for files named “wp-xmlrpc.php.” These can be considered an indication of compromise, so check your site for evidence of this file. Wordfence will alert you if a file containing malware is found.
Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory. Files located here after a rogue subscriber-level account has been created are a clear indication of compromise.
If you are seeing widespread infection, use Wordfence to clean your site. The linked guide will assist you, or you can engage our Security Services Team for a professional site cleaning. As always, premium customers have access to our customer support engineers if there are any questions.
Thank you to Customer Service Engineer Gerroald Barron for bringing this issue to our attention, as well as Stephen Rees-Carter, Ramuel Gall, and Kathy Zant for their assistance in researching this attack and testing mitigations.