Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk

Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk

On May 6, 2020, our Threat Intelligence team received reports of active exploitation of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor. We have reviewed the log files of compromised sites to confirm this activity.

As this is an active attack, we wanted to alert you so that you can take steps to protect your site. We are intentionally limiting the amount of information this post provides, because this is an ongoing attack, and the most critical vulnerability has not yet been patched.

We have released a firewall rule which protects Wordfence Premium users against exploitation of this vulnerability. Free Wordfence users will be protected against this vulnerability after 30 days, on June 5, 2020.

Which plugins are affected by this attack

There are two plugins affected by this attack campaign. The first is Elementor Pro which is made by Elementor. This plugin has a zero day vulnerability which is exploitable if users have open registration.

UPDATE: As of 4:22 PM UTC today, May 7 2020, Elementor has released version 2.9.4 of Elementor Pro. Our threat intelligence team has verified that this patches this vulnerability. We recommend updating to this version immediately.

The second affected plugin is Ultimate Addons for Elementor, which is made by Brainstorm Force. A vulnerability in this plugin allows the Elementor Pro vulnerability to be exploited, even if the site does not have user registration enabled.

We estimate that Elementor Pro is installed on over 1 million sites and that Ultimate Addons has an install base of roughly 110,000.

Elementor Pro

Description:  Authenticated Arbitrary File Upload
Affected Plugin: Elementor Pro
Plugin Slug: elementor-pro
Affected Versions: <= 2.9.3
CVE ID: CVE-2020-13126
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 2.9.4

To be clear, this does not impact the free Elementor plugin with over 4 million installations available from the WordPress plugin repository. The Elementor Pro plugin is a separate download available from the Elementor.com website. We estimate that Elementor Pro has over 1 million active installations.

The vulnerability in Elementor Pro, which is rated Critical in severity, allows registered users to upload arbitrary files leading to Remote Code Execution. This is a zero day vulnerability.

An attacker able to remotely execute code on your site can install a backdoor or webshell to maintain access, gain full administrative access to WordPress, or even delete your site entirely. Due to the vulnerability being unpatched at this time, we are excluding any further information.

We have data via another vendor that indicates the Elementor team are working on a patch. We have contacted Elementor and did not immediately receive confirmation of this before publication.

Ultimate Addons for Elementor

Description: Registration Bypass
Affected Plugin: Ultimate Addons for Elementor
Plugin Slug: ultimate-elementor
Affected Versions: <= 1.24.1
CVE ID: CVE-2020-13125
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 1.24.2

The Ultimate Addons for Elementor plugin recently patched a vulnerability in version 1.24.2 that allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site.

Two vulnerabilities being used in concert to attack sites

Attackers are able to directly target the zero day vulnerability in Elementor Pro on sites with open user registration.

In cases where a site does not have user registration enabled, attackers are using the Ultimate Addons for Elementor vulnerability on unpatched sites to register as a subscriber. Then they proceed to use the newly registered accounts to exploit the Elementor Pro zero day vulnerability and achieve remote code execution.

What you should do

If you are using Wordfence Premium, your site has received a firewall rule to protect you against this active attack.

There are a number of steps a site owner not using Wordfence Premium can take to protect their site from this active attack.

Upgrade Ultimate Addons for Elementor immediately. Make sure Ultimate Addons for Elementor is version 1.24.2 or greater.

Downgrade to Elementor free until a patch is released for Elementor Pro. You can do so by deactivating Elementor Pro and removing it from your site. This will remove the file upload vulnerability.

Once a patch is released, you can re-install the patched version of Elementor Pro on your site and regain any lost functionality. You may temporarily lose some design elements once downgraded, but in our tests these elements came back when reinstalling Elementor Pro. Nevertheless, a backup prior to downgrading is always prudent.

Tip: If you need a list of where you have Elementor Pro installed, you can login to your account on Elementor.com and go to “Purchases” then “View Websites” for a full list where Elementor Pro is installed with that license.

UPDATE: As of 4:22 PM UTC today, May 7 2020, Elementor has released version 2.9.4 of Elementor Pro. Our threat intelligence team has verified that this patches this vulnerability. You no longer need to downgrade to keep your site safe as of this time. Instead, we recommend updating to version 2.9.4 immediately.

Check for any unknown subscriber-level users on your site. This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts.

Check for files named “wp-xmlrpc.php.” These can be considered an indication of compromise, so check your site for evidence of this file. Wordfence will alert you if a file containing malware is found.

Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory. Files located here after a rogue subscriber-level account has been created are a clear indication of compromise.

If you are seeing widespread infection, use Wordfence to clean your site. The linked guide will assist you, or you can engage our Security Services Team for a professional site cleaning. As always, premium customers have access to our customer support engineers if there are any questions.

Thank you to Customer Service Engineer Gerroald Barron for bringing this issue to our attention, as well as Stephen Rees-Carter, Ramuel Gall, and Kathy Zant for their assistance in researching this attack and testing mitigations.

Did you enjoy this post? Share it!

Comments

63 Comments
  • Hi Wordfence team,

    Does that mean if I have user registration disabled I am save even if I use Elementor Pro?

    Best regards,
    Bastian

    • Hi Bastian,

      If you have registration disabled, you should be safe. However, we can not guarantee that any of the other plugins you have installed on your site do not have a subscriber registration vulnerability. For that reason, it is still highly recommended you downgrade to the free version of Elementor until a patch has been released for the pro version. This will provide you with optimal security. If you are running Wordfence premium on your site, then you have received a firewall rule to block against any exploit attempts.

      • Hi Chloe, thanks a lot. Keep up the good work.

  • Is it correct to assume that allowing users to register through WooCommerce meets the requirement of "open user registration"? If I read this correctly, anyone with a subscriber account can attack the Elementor Pro vulnerability.

    • Hi Adam,

      Yes, that is correct. Allowing users to register through WooCommerce will meet the requirement. Any user with the ability to create a subscriber-level user account has the ability to exploit the vulnerability found in Elementor Pro.

      • I see WooCommerce creates a "client" role account for each purchaser. Does that qualify as a subscriber-level account? Is there a specific permission?

        • Hi Marc,

          Any user with the capability to register on a site, including WooCommerce specific roles, has the potential to exploit the vulnerability found in Elementor Pro. However, it may be more difficult for "Customer" level roles due to some of the requirements needed to exploit the vulnerability.

          A patch has been released in version 2.9.4, therefore, we recommend updating to that version at this point to stay safe.

      • does that include "customer" user role?

        • Hi Clay,

          That does include the "Customer" role.

  • If Ultimate Addons is patched to 1.24.2 AND user registration has been disabled is there a security risk currently?

    • Hi David,

      Technically, though very minimal, there is still a security risk due to the possibility that an attacker could discover another vulnerability in a different plugin tho allow subscriber registration. If you're running Wordfence premium that risk is eliminated due to the firewall rule we released that will block any exploit attempts. If you are not running Wordfence premium, we recommend downgrading to the free version of Elementor until a patch has been released for optimal security.

  • You note above that "If you are using Wordfence Premium, your site has received a firewall rule to protect you against this active attack." I'm not quite clear if this firewall rule is automatically received/installed or I have to do something. I don't see that the WordFence Plugin needs an update. Is there some place in WordFence that I can see this new rule to make sure it is there?

    Thank you.

    • Hi there,

      The firewall rule updates occur automatically and are fetched from our severs without needing a plugin update. This typically happens twice a day, however, we pushed rule update to all premium users yesterday to ensure sites got the rule ASAP. If you would like to be extra certain your site has received the rule, you can go to Wordfence->Firewall->All Firewall Options->Advanced Firewall Options->Rules and click the button that says "Manually Refresh Rules." This will trigger a rule update and guarantee your site has updated with this firewall rule for extra peace of mind that your site is protected.

  • What if I disabled the user registration now. Does that still open a backdoor in my Wordpress install?

    • Hi Saptak,

      If you disable registration now, your site should be relatively safe. However, we can not guarantee that any of the other plugins you have installed on your site do not have a subscriber registration vulnerability that bypasses disabled user registration. For that reason, it is still highly recommended you downgrade to the free version of Elementor until a patch has been released for the pro version. This will provide you with optimal security. If you are running Wordfence premium on your site, then you have received a firewall rule to block against any exploit attempts.

      • I currently have elementor pro, with woo commerce and Astra theme. I already changed the registration config for now. Thanks for notifying us about this attack.

        So most of the time these attackers target all websites or they target specifically popular websites?

        • Hi Spatak,

          It depends on the attacker and the vulnerability they are targeting. With most easily exploitable vulnerabilities, we see that attackers will target as many sites as possible regardless of the sites popularity in hopes of infecting as many sites as possible.

  • Hi, good to read this (in a way, but bad to know!). We have 100+ sites with Elementor Pro and luckily we keep excellent backups. However, we can't simply downgrade Elementor on these production sites as features will just stop working. We also have WordFence on all websites, but the free version. Will the free version protect websites?

    • Hi William,

      As of right now, only Wordfence premium users have received a firewall rule to protect against exploit attempts. Wordfence free users will receive this rule in 30 days on June 5th.

      • Now there has been a fix released for Elementor Pro I'd like to ask something.

        If free users we're to have updated your firewall rules manually, would they have fallen under your protection ? are the same rules as the pro users but updated less frequently ? Or are the free Wordfence firewall rules different ?

        • Hi there,

          Wordfence free users would not have received the rule with a manual update. Wordfence premium users receive new firewall rules immediately, while free Wordfence users will receive the same rule after 30 days. Currently Wordfence free users do not have the WAF rule for the vulnerability, however, they will receive the same rule in 30 days on June 5th.

  • Where is CVE and PoC of potential attack vector or where is any other info about this issue?

    • Hi David,

      There are currently no registered CVEs for these two vulnerabilities, however, we will update the post with those once they have been assigned. We purposefully omitted proof of concepts from this post in order to limit the information publicly available needed to exploit these vulnerabilities due to Elementor Pro being unpatched at the time of publication.

  • Could you include the slugs (directory names of the directories that by default these plugins would be installed)? That helps those of us who want to do a serverwide search for the plugins (assuming the installer did not renamed the directory).

    Thanks

    • Hi Mike,

      We have updated the post to include the plugin slugs. Thanks!

  • I had a new subscriber on 3 of my sites were affected because UA weren't updated at this moment.
    The hacker couldn't upload files because I hardened my security in advance.

    This happend yesterday 06.05.2020 at 2am UTC.

    Did WordFence pushed the new firewall rule after that time or before?

    Best,
    Tobi

    • Hi Tobi,

      The firewall rule was pushed to production at around 12AM UTC.

  • I see Elementor Pro has been patched to version 2.9.4 - Do you know if this deals with the issue? Cannot get a reply from Elementor as yet

    • Hi there,

      We have confirmed that Elementor Pro version 2.9.4 patches this vulnerability. We highly recommend updating to that version immediately.

  • As of May 7th a new version of Elementor Pro just became available. Is this the fix? It says it hardens a user registration form. It would be helpful if you all provided the version number of Elementor Pro that was vulnerable. I have 2.9.3 installed, and 2.9.4 just became available.

    • Hi there,

      We have confirmed version 2.9.4 contains a patch to fix the vulnerability. We have provided an update in the post to reflect this information.

  • looks like elementor pro may have been patched

    • Hi Chris,

      Elementor Pro has released a patch in version 2.9.4. We have updated the post to reflect this information.

  • Elementor Pro JUST released an update (version 2.9.4) that fixes this issue: https://elementor.com/pro/changelog/

    Thanks for the warning Wordfence! Your plugin notified me of a malicious file that was injected into my site yesterday. These files were added in the Elementor custom icons folder. I removed the files immediately and went into Elementor > Role Manager (I have members plugin) and excluded all roles that can edit in Elementor. Just FYI.

  • Hi,
    Elementor have released an upgrade to their Pro plugin which I have applied across the board to our sites. I've also run a check with our ISP and there are no instances of wp-xmlrpc.php. Given this would you still recommend reverting all sites to basic Elementor?
    Thanks for your ongoing work for the community,
    Andy

    • Hi Andy,

      If you have updated to version 2.9.4 of Elementor Pro, you do not need to downgrade to the free version as the vulnerability has been patched in their latest release. We have updated the post to reflect this information.

  • Spoke with Elementor this morning they have fixed this issue for Pro:

    Hi,

    It's a pleasure to get to you.

    I understand your concern and would like to share with you that we have already created a fix for this issue contained in the Elementor Pro 2.9.4 update which should be visible for you within your WordPress Dashboard in the next few hours.

  • We got hacked because of this on one of our sites, but the wordfence protected site was safe!

    We had both the plugins installed.

    Thank you!

    In the /wp-content/uploads/elementor/custom-icons/ directory, only thing that was there was an .htaccess file. Is that safe?

    • Hi Ron,

      We are happy to hear Wordfence protected your site! The .htaccess file in the /custom-icons directory should be safe as long as it hasn't been modified.

  • Hi guys

    My site is deployed via composer and the file permissions are set so PHP and the webserver only have write access to /uploads.

    I've updated as per your advice, but I was curious if my setup would have been vulnerable to this attack?

    Cheers

    • Hi there,

      If I understand your installation's set-up correctly, then yes your site still would've been vulnerable to this attack. One way you can test this is just to upload a simple media file through your WordPress website's dashboard and, if that file is successfully uploaded, then you can confirm that this exploit would've been successful.

  • >> Elementor básico atualizado, porém a licença do meu Pro está expirada, e neste momento não teria mais necessidade de renovação visto que já finalizei os desenvolvimentos necessários com o Pro. Neste caso o risco permanece, ou há alguma alternativa para atualização (em garantia / recall) ?!

    • Hello Mirian,

      The risk will remain if you continue to run the vulnerable version of Elementor Pro on your site. If you can not update, we recommend downgrading to the free version of the plugin, however, this has the potential to cause some loss in site functionality. I recommend reaching out to the Elementor team directly to see if they can offer you any alternative solutions for protection.

  • Not surprising in either case. When you get as bloated as these page builders are, and managed by a very small team with no open source code it is a recipe for disaster.

    Many of Brainstorm Force plugins are trying to make page-builder-add-ons. It is a recipe for disaster if you are installing third party hacks of page builders and hoping the small teams patching them weekly.

    This whole thing is a trend. Hopefully thousands of teams revert to no page builders and vastly improve the security and performance of their WP site.

  • Hi,

    Thank you for this update.

    May I know do you mean Versions: 2.9.2 is not affected by this issue? Is this affected on Versions: 2.9.3?

    Thank you!

    • Hi Sean,

      This affects all versions starting at 2.9.3 and below. Version 2.9.2 is affected by the issue.

      • Thank you for your reply & I really appreciate your support & customer service!!

  • If the site is under construction, Can be attacked?

    • I mean with the plugin "Under construction".

      • Hi Pau,

        Your site can still be attacked, and potentially compromised, while running in an under construction mode. When running a site maintenance plugin like "Under Construction," your site is not taken fully offline, only the front-end is no longer available to users, so the vulnerable endpoints are still available to attackers.

  • Hi WordFence team,
    Both plugins developers have published updates. Will you publish a PoC to help the community (and those who does not have the premium plugin) better underestaund this exploit and protect themselves (those who, for whatever reason, could not update)?

    Thank you

    • Hi Peter,

      We may publish an analysis of the issues. However, considering this is being actively exploited, we will certainly wait a few more days to give folks time to update before releasing any more information that could potentially aid additional attackers and cause a spike in attacks.

  • My site is hacked [ 1 subscribe user created , wp xml file created and custom-icons files created]

    i have deleted all the above and updated both plugins to the latest version.
    is my site safe? do i need to do any checks to verify it is safe .

    • Hi Vijay,

      It is possible that there are malicious files elsewhere in the installation. One common file we are seeing outside of the /custom-icons directory is wp-xmlrpc.php. I highly recommend checking your site's files to verify that there is no presence of that file. If you do find this file in your installation, we recommend removing it.

      Please follow this guide on How to Clean a Hacked WordPress Site to ensure you have removed any additional remnants of malware. Alternatively, you can use our Security Services Team to do a thorough inspection of your site's files and database to be sure nothing was missed.

  • Are you infected now? What to do? Try to put Wordfence to clean, but it will be ignored as file folders on the side. An injection creates a .class-wp-cache.php and modified index.php file throughout the site and if you delete it, it will reappear. As soon as Wordfence is installed, a critical error occurs on the website and the website no longer opens. How can I proceed? Thank you!

    • There may be malware in a commonly used file that regenerates additional malware. If you need assistance, please check with our Security Services Team as they're happy to assist. A site cleaning comes with a 90 day guarantee and a Wordfence Premium license key to keep your site safe from intrusion going forward.

  • Hi and thank you WordFence team for the information and suggestions.
    On May 5, I deleted an unknown user and a suspicious new file found by wordfence. Then I restored all files and databases from a backup I saved earlier ( May 3). After that, I checked my "Custom icons folder"(as suggested by elementor in their Q&A for this issue). The only file in the folder was the ".htaccess" file. But its last modified date was May 5, the time when my site was in danger.(I restored my site on May 8)
    Does it mean that my restoration wasn't complete and files showing "last modified on May 5" may be dangerous? ( I'm using wordfence premium and the scan looks fine )
    Thank you so much for your support!

    • Hi Marie,

      The .htaccess file is automatically generated in the /custom-icon folder by the plugin. It sounds like an attacker may have uploaded files on May 5th, which auto-populated the .htaccess file in the /custom-icon folder, however, they removed their original malicious files from the /custom-icon folder to cover their tracks while injecting a malicious backdoor elsewhere on your site.

      Files modified on May 5th may be suspicious, however, the .htaccess file in that folder should be safe. If you are unsure, I recommend just removing the entire /custom-icon directory and allow that folder to repopulate in the future when, and if, you decide to upload any custom icons.

      If you have run a Wordfence scan and it did not uncover any additional malicious files, then your site should be clean.

      P.S. I updated your comment to display your display name rather than your account name.

  • Hello, I found a file named xmlrpc.php in a wordpress site root. It's not exactly like the files mentioned in the post, because it misses the "wp-..."

    Should I worry about this site's security?

    Regards.

    • The xmlrpc.php file is a part of the WordPress core installation and is not malicious. Ensure that Wordfence is installed and scanning, update all of your core, theme, and plugin files, and you should be just fine.

      Thank you for your comment.

  • I have a site that was hacked on 5/10, currently looking through the installation files and there is way more than file "wp-xmlrpc.php"... I found a ton of other files with redirects and JS scripts... I have a few test sites on the same server and even after installing a new instance of Wordpress, after a few minutes that installation is infected as well... Any more details as to what the hack is about?.. I'm trying to find what is autogenerating this files and redirects..

    • If all of your WordPress sites are hosted in the same account and running under the same server-based user (e.g., they're all in the same cPanel), then you'd have to clean them all at once in order to ensure that they're all clean at the same time. Otherwise, it's like playing whack-a-mole. You clean one site while another infected site is being used to pollute the entire hosting account. We do recommend isolating your sites in different accounts on the server to prevent this type of cross contamination. If you need assistance, our Security Services Team can assist.

  • Here's an idea that I think would be good to consider. It's a two-fold solution:

    a) remove write access from your filesystem, leaving just one folder (the one you intend to allow uploads to) with write access; ensure there are override files your system recognises (like .htaccess, .php.ini and similar) present and read-only, so they can't be replaced (or otherwise can't be created/won't be honoured - if you don't need them),

    and

    b) use the aforementioned override files (as necessary) to configure this folder to disallow execution of any uploaded scripts your web server might recognise.

    It's not a fool-proof solution and it won't work everywhere (some web hosts may not offer this level of access to the underlying filesystem). Notably, it prevents Wordpress from self-updating, since it won't have write access to its own files - something I often argue to be a good thing, actually, as it eliminates a good number of security concerns (though not without obvious drawbacks). It also won't prevent your website from being used as part of a "surprise CDN" by the bad guys. But if you're concerned with the possibility of arbitrary server-side code being stored and executed, this solution should lay many of your fears to rest.