- Zero Day Vulnerability
- The plus addons for Elementor Exploit
- What are the Plus Addons for Elementor Vulnerability?
- The paid version of Plus Addon is vulnerable
- A patch is in the works – but act now
A zero day vulnerability was discovered in the WordPress Plus addons for Elementor. The exploit allows for complete takeover. Security researchers recommend disabling the plugin immediately to avoid being hacked.
The exploit is not present in Elementor itself, but rather in a popular plugin that Elementor extends.
Zero Day Vulnerability
A zero-day vulnerability is a vulnerability that hackers are aware of but that the software developer does not have a patch to stop.
Typically, a vulnerability is discovered and the software developer has time to correct it before hackers discover the problem.
Read on below
In a typical zero-day vulnerability scenario, the bug is known and actively exploited by hackers while the software developers try to determine the exploit.
For this reason, zero-day vulnerabilities are considered to be of particular concern, as websites can be easily hacked in the time between the discovery of the vulnerability and the release of a patch.
The plus addons for Elementor Exploit
The Plus Addons for Elementor are a suite of over a hundred widgets, templates and blocks that expand the design options for websites that use the Elementor page builder plugin.
Elementor is a page building plugin that extends the native WordPress editor to make it easy to create attractive websites.
However, the vulnerability does not lie in Elementor. The vulnerability exists in a plug-in that extends Elementor's design capabilities.
Read on below
What are the Plus Addons for Elementor Vulnerability?
There are two types of Plus addons for Elementor plugins. There is a free and a paid version.
The bug does not exist in the free version. So if you work with the free version of the addon, your website will be safe.
The paid version of the plugin is insecure.
The paid version of Plus Addon is vulnerable
According to security researchers at Wordfence, the plugin's registration and login widget modules are the attack vector.
“If you are using the Plus Addons for Elementor plugin, we strongly recommend that you deactivate and completely remove the plugin until this vulnerability is resolved. If the free version is sufficient for your needs, you can switch to this version for now.
If the functionality of your website depends on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your website. A patched version is not available at the time of this writing. "
It was later discovered that disabling the WP Login & Register widget was not enough to prevent hacking.
"… The security gaps can still be exploited if the" WP Login & Register "widget is deactivated. For this reason, we recommend temporarily deactivating and removing the plugin until a patch has been released. "
A patch is in the works – but act now
The plugin developer is working hard to create a patch. A first patch was released quickly, but WordFence researchers confirmed that the plugin was not fully hardened against the exploit.
Take action now
As mentioned above, Wordfence recommends disabling and removing the plugin entirely. If there are site features that depend on the plugin, the free version can be temporarily installed until a patch is released.
It may not be wise to take a risk and wait for a patch as the bug is being actively exploited.
Critical 0 tag in the Plus add-ons for Elementor enables the location to be taken over