Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Critical 0-day in The Plus Addons for Elementor Allows Site Takeover

This entry was posted in Research, Vulnerabilities, WordPress Security on March 8, 2021 by Chloe Chamberland   28 Replies

UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7. We highly recommend updating to this version immediately to keep your sites secure.  Special thanks to the plugin developers for working as quickly as possible to resolve these issues. 

UPDATE 1: As of March 9th, 2021, the vulnerability is still not fully patched. The plugin developer released a partially patched version of the plugin (4.1.6) shortly after our disclosure, however, the update does not fully address the vulnerability. We are in contact with the developer and they are working quickly on the additional fixes required, we expect a new patch will be released shortly. We will update this post once a fully sufficient patch has been released. 

Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.

The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit.

Wordfence Premium customers received a rule on March 8, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive protection on April 7, 2021.

If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being. If your site’s functionality is dependent on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.

Description: Privilege Escalation
Affected Plugin: The Plus Addons for Elementor
Plugin Slug: theplus_elementor_addon
Affected Versions: <= 4.1.6
CVE ID: 2021-24175
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 4.1.7

“The Plus Addons for Elementor” is a plugin designed to add several additional widgets to be used alongside Elementor. One of these widgets added the ability to add a user login and registration form to an Elementor page. Unfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user.

It should be noted that this vulnerability can still be exploited even if you do not have an active login or registration page that was created with the plugin. This means that any site running this plugin is vulnerable to compromise.

At this time, we are releasing very minimal details due to this being an actively exploited vulnerability. We may decide to release more details in the future, but in the meantime we recommend you take appropriate measures to secure your site.

Indicators of Compromise

At this time, we have very limited indicators of compromise. However, we believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled wpstaff. We strongly recommend checking your site for any unexpected administrative users or plugins you did not install.

We will update this section as we learn more.

Response timeline

March 8th, 2021 8:55 AM UTC – New vulnerability entry in WPScan reporting 0-day vulnerability in the The Plus Addons for Elementor plugin.
March 8th, 2021 1:32 PM UTC – Wordfence Threat Intelligence is alerted to the new vulnerability report and begins to triage the vulnerability.
March 8th, 2021 2:08 PM UTC – We verify the existence of the vulnerability and create a proof of concept.
March 8th, 2021 2:20 PM UTC – We create and begin testing a firewall rule to protect against the vulnerability.
March 8th, 2021 2:25 PM UTC – We reach out to the plugin developer to make sure that they are aware of the vulnerability and offer to provide details if required.
March 8th, 2021 2:50 PM UTC – The firewall rule is deployed to premium users.
April 7th, 2021 – Wordfence Free users receive the firewall rule.

Conclusion

In today’s post, we detailed a zero-day vulnerability being actively exploited in The Plus Addons for Elementor, a plugin that allows unauthenticated attackers to escalate their privileges on a vulnerable WordPress installation. This can be used to completely take over a WordPress site. This vulnerability currently remains unpatched as of this morning and, therefore, we strongly recommend deactivating and removing the plugin until a patch has been released.

Wordfence Premium customers received a rule on March 8, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive protection on April 7, 2021.

Please forward and share this post widely so that those using this vulnerable plugin can take fast action to protect their sites as this zero-day vulnerability is currently being exploited in the wild.

Special thanks to Ramuel Gall, Wordfence Threat Analyst and QA Engineer, and Kathy Zant, Wordfence’s Director of Marketing, for their contributions to this post and research pertaining to the vulnerability. 

Did you enjoy this post? Share it!

28 Comments on "Critical 0-day in The Plus Addons for Elementor Allows Site Takeover"

assistenza WordPress March 8, 2021 at 8:43 am

Had a client today that was hit by this I think. It-s using the premium version of the plugin. Waiting for an update in the meanwhile reverted back to WordPress registration

Chloe Chamberland March 8, 2021 at 9:04 am

Hi there,

I'm sorry to hear your client was affected by this, but glad to hear you have reverted the site back to the default WordPress registration to keep the site secure! I recommend taking a moment to review this guide, if you haven't already, to ensure the site has no remnants of compromise left. The first things you should check for are rogue plugins and rogue administrative user accounts as those are the IOCs we are seeing with this campaign.

Antony March 8, 2021 at 10:11 am

Just a heads up the vulnerability can be taken advantage of even if no registration and login page has been created.

Chloe Chamberland March 8, 2021 at 10:29 am

Hi Antony,

I just confirmed that this is true and updated the post the reflect the information. Thank you for bringing this to our attention!

Kevin March 8, 2021 at 11:22 am

Is the site still vulnerable if you turn the "WP Login & Register widget off in the The Plus Widget settings page? (/wp-admin/admin.php?page=theplus_options)

Chloe Chamberland March 8, 2021 at 11:49 am

Hi Kevin,

Unfortunately, the vulnerabilities are still exploitable even if the "WP Login & Register" widget is disabled. For that reason, we recommend temporarily deactivating and removing the plugin until a patch has been released.

Sharif Jameel March 8, 2021 at 1:23 pm

Thanks for the quick disclosure and verification. Has the plugin developer begun working on or even acknowledged the vulnerability at this time?

Chloe Chamberland March 8, 2021 at 2:31 pm

Hi Sharif,

The plugin developer has acknowledged the vulnerabilities and released a patch this afternoon. We tested the patch and found it to be insufficient so we informed them of what was missing and expect to see a second, fully sufficient patch, released here soon. They have been very responsive for us thus far.

Chloe Chamberland March 9, 2021 at 6:32 am

Hi there,

Unfortunately, the latest update didn't fully address the security issues. We are working closely with the plugin's developer to ensure an optimal patch is released. I can assure you that they are working quickly to get a fix out to their customers and I presume it will be released by the end of today.

Sarah Gershone March 9, 2021 at 7:04 am

Hi - Thanks so much for this information. The Plugin developer has announced on their facebook page that this vulnerability has been resolved - can you verify if that is accurate?

Chloe Chamberland March 9, 2021 at 7:13 am

Hi Sarah,

Unfortunately, the latest update didn’t fully address the security issues. We are working closely with the plugin’s developer to ensure an optimal patch is released. I can assure you that they are working quickly to get a fix out to their customers and I presume it will be released by the end of today. We have updated the post to reflect this information and will update the post again once a fully sufficient patch has been released.

Gökhan Köse March 9, 2021 at 11:22 am

One of my clients is also affected, it created a Plugin called "wp-strongs"

Kane March 9, 2021 at 5:54 pm

It did the same for our site .... amongst many other annoying things .... ugh.

Makn March 9, 2021 at 2:26 pm

This author has just released version 4.1.7

Has this fixed the issue?

Chloe Chamberland March 9, 2021 at 6:00 pm

Hi there,

Version 4.1.7 does fix the issues. We recommend updating to this version as soon as possible and we have updated the post to reflect this new information.

sven March 9, 2021 at 11:49 pm

Hi,
two of my clients sites where infected, we had only the accordion widget activated on the one site and on the other site only the audio-player.
A new admin user was added, every .js file from themes and plugins was infected and a link to a js script was attached to every page and post.
On one site I restore the complete site from a backup that was taken the day before, for the other site the backup was to old so after replacing all files a find-and-replace on the database for the malicious script cleaned the site. I run the wordfence scan until the site was marked as clean.
I appreciate the fast respond from the developer but I received their email only after the sites where infected.

Chloe Chamberland March 11, 2021 at 4:56 am

Hi Sven,

I am sorry to hear that two of your clients were affected. Thank you for providing us with what happened on those sites!

Kesus March 10, 2021 at 12:40 am

One of my clients either. It changes all js files on the website and add many other things. YOu have to make a fress install and reinstall all plugins. For the database i still don't Making some research

Chloe Chamberland March 11, 2021 at 4:53 am

Hi Kesus,

I am sorry to hear your site was affected, but I appreciate you letting us know what happened on your site!

Misha Pchenitchnikov March 10, 2021 at 3:40 am

Thank you for the adequate response and updates on this vulnerability.

Since I'm becoming more and more interested in security (flaws) I was wondering if the cause of the vulnerability will be disclosed. Will you publish data on what the vulnerability was and how it can be exploited by people with wrong intentions?

Chloe Chamberland March 11, 2021 at 4:49 am

Hi Misha,

We will mostly likely do a follow-up post, once we feel that most people have updated to the patched version, containing some additional details on what created this vulnerability, how it was being exploited, and what the most common indicators of compromise are.

Jordan March 10, 2021 at 4:06 am

Wordfence is still telling me the files for this plugin is still a concern - Not sure how to proceed

Chloe Chamberland March 11, 2021 at 4:46 am

Hi Jordan,

Please make sure you have updated to version 4.1.7. If you still receive a warning that the plugin is of concern after updating please reach out to our support team so that we can further assist. If you a are premium user, you can contact us here. Alternatively, if you are a free user, you can contact us here.

KOHP March 10, 2021 at 4:29 am

Not sure when it was officially noticed, or known about, but we have been hacked on the 3rd of March, the attacker successfully created an account with admin privileges and on the 4th of March the attacker logged in successfully. We were not aware until March 9th while cleaning it up and working with WPforms since we were using their registration add-on. Shorlty after concluding with wpform around 4:45pm we received an email from The Plus Addons for Elementor about the breach at 4:56pm on the 9th.

On our front end we were still using the paid version of The Plus Addons for Elementor for the login form ...

Then all made sense... of what happened.

Chloe Chamberland March 11, 2021 at 4:42 am

Hi there,

I am so sorry to hear your site was affected by this. Thank you for providing us with the information you have! At this time, our earliest indicator of infection was March 5th, however, it now seems as though the exploit campaign started a few days earlier than that.

Mark March 10, 2021 at 6:10 pm

Hello, Guys, I wanted to Confirm will this vulnerability cuz a Data Breach for your Site Users? Or its just a simple ad redirect hack?

Chloe Chamberland March 11, 2021 at 5:04 am

Hi Mark,

Unfortunately, it is hard to say with 100% certainty whether or not a data breach has occurred without a full forensic investigation. However, it is highly likely that some data was breached. If your site has been compromised, you should assume that all the data has been compromised and you should notify your site users so that they are aware and can take the appropriate actions like changing their passwords.

Vee March 11, 2021 at 8:56 pm

They hacked three of my sites that were using this widget, here is another email address used inurypar76@gmail.com

This hack affected all the sites on my server, not just those three using the plus.

Some sites where redirecting to another site (the sites with the plus installed), other sites were just showing critical errors (sites using Divi) and weird code. I had to roll my whole cpanel account back to two weeks ago as at that time I did not know a safe date.

The first time I rolled the account back and got the sites working again, they re-hacked one of these sites again within 12 hours and caused the same issue all over again. Until I woke up to what was going on and deleted some of the sites temporarily as a emergency measure and updated the others to the latest version of the plus.

Very serious, as it affected all the sites in my cpanel, not just the ones with the register widget.

Funny when I saw that email trainwordpressai@site.com register to one of the sites again, in no time the whole cpanel was infected and the sites all redirecting and crashing.

The sites that I rolled back to two weeks ago and updated all seem to be fine now. I have scanned with wordfence sensitive search, and securi. Would all the malicious code be gone or should I take further action and hire a developer to scan database etc as my whole cpanel was affected?

Thank you, even though this was very scary and serious I am so much wiser now and have hardened ALL my sites up.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates