Wordfence experts warned that on May 6, hackers began exploiting critical vulnerabilities in the WordPress plugins Elementor Pro and Ultimate Addons for Elementor. Bugs can be used to remotely execute arbitrary code and completely compromise vulnerable sites.
Elementor Pro is a paid plugin with over 1,000,000 active installs. It helps users create their own WordPress sites with built-in theme and widget builders and support for custom CSS solutions.
An RCE issue has been identified in Elementor Pro and has been upgraded to critical. The bug allows attackers with access at the level of a simple user to upload arbitrary files to target sites, as well as remotely execute arbitrary code on them. At the time the attacks began, this vulnerability was a 0-day failure problem.
Analysts write that attackers use this vulnerability to install backdoors and web shells (that is, provide themselves with access to compromised sites), gain administrator privileges and completely transfer the resource under their control. If hackers do not have user access to a resource, they can use the second vulnerability affecting the Ultimate Addons for Elementor plugin installed on more than 110,000 sites. A flaw in this plugin would allow attackers to register as subscribers on any site running the plugin (even if user registration is disabled).
To protect against these attacks, Wordfence recommends that administrators update Elementor Pro to version 2.9.4 as soon as possible, which fixes the RCE vulnerability. Users of Ultimate Addons for Elementor, in turn, need to update the plugin to version 1.24.2 or later, where the problem with registering new users has been fixed.