The Plus Addons for Elementor WordPress plugin has a crucial flaw that could be used to obtain administrator access on a website. The zero-day has been used in the wild, according to the Wordfence team at Defiant, a WordPress security firm.
The Plus Addons for Elementor is a premium plugin that was created to add multiple widgets to the popular WordPress website creator Elementor. It has over 30,000 instals to date.
The problem, according to Wordfence, is caused by one of the newly added widgets, which allows users to inject user login and registration forms into Elementor websites.
An attacker can build a new administrator user account on the compromised platform, or even log in as an actual administrative user, unless the functionality is not properly configured, according to the researchers.
It is recommended that all users of The Plus Addons for Elementor plugin deactivate and uninstall the plugin before a patch for this zero-day is released. Both plugin-added registration or username widgets should be deleted, and registration on insecure pages should be disabled.
The Plus Addons for Elementor Lite, a free version of the plugin, is not affected by the same vulnerability, according to the researchers. As a result, users can use the free version before the vulnerability is fixed.
“It should be remembered that even though you don’t have an active username or registration page built for the addon, this flaw can also be abused. This means that every site using this plugin is at risk of being hacked, according to Wordfence.
The vulnerability is actually being deliberately abused, according to the researchers. As a result, no further information on the matter will be published for the time being.
“Based on how the vulnerability generates user accounts, we suspect attackers are inserting user accounts with usernames as the registered email address, and in some cases downloading a malicious plugin called wpstaff. Wordfence concludes, “We highly suggest searching the platform for any unwanted administrative users or plugins you did not add.”
The researchers developed a proof-of-concept and approached the plugin’s developers, who are said to be working on a fix.