Elementor Pro and Ultimate Addons for Elementor – Critical vulnerabilities, 1 Million sites at risk. Is your site safe?

Elementor Pro is a WordPress page builder with approximately 1 million users and it’s addon Ultimate Addons for Elementor has an installation base of around 110,000. It is estimated that the critical vulnerabilities in these two related WordPress plugins has risked over 1 million websites.

If you are using Elementor Pro or a combination of Elementor Pro and Ultimate Addons for Elementor on your site, upgrade to the latest versions immediately. The critical vulnerabilities have been fixed in Elementor PRO 2.9.4 and Ultimate Addons for Elementor version 1.24.2.

Note: The free Elementor plugin in WordPress plugin repository is not affected by this vulnerability.

Two high severity vulnerabilities exploited

Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload

Type: RCE (Remote Code Execution)
CVSS Score: 9.9 (Critical)
CWE (Common Weakness Enumeration): CWE-94, Improper Control of Generation of Code (‘Code Injection’)

The Elementor PRO vulnerability allowed any logged-in users to upload and execute PHP scripts.

This means it allowed any authenticated user, regardless of their user role, to submit an AJAX request behind the scenes which allowed them to upload any files to the upload directory; leading to Remote Code Execution.

It was only possible to attack sites with open registrations like WooCommerce stores, LMS sites, membership sites, etc.

Implication: If an attacker is able to remotely execute code on your site it can lead to installation of a backdoor or webshell to gain full administrative access to WordPress. As a result the attacker can create rogue admin accounts, inject a backdoor on a site or completely delete the site.

Vulnerability Patched: The security loophole was caused by a function that was missing a permission check and a proper file extension check. This in addition to open registrations on the site allowed attackers to easily exploit the combination of these issues to upload malicious files to the site.

The issue has been fixed in version 2.9.4 which added proper permission and file extension check against the upload action.

Ultimate Addons for Elementor < 1.24.2 – Registration Bypass

Type: Bypass
CVSS Score: 7.2 (High)

The vulnerability in Elementor PRO affected the sites with open registrations only. A vulnerability in Ultimate Addons for Elementor allowed the attackers to create an account, even if registrations were turned off and resulted in exploiting Elementor Pro vulnerability.

Registration Bypass Vulnerability: For an attacker to exploit the arbitrary file upload vulnerability in Elementor PRO, authentication is required. In case where a site does not have open registrations and the Ultimate Addons for Elementor plugin is installed, an attacker can create an account by exploiting the registration bypass vulnerability in the addon.

This issue existed in the registration form module, which registers using an AJAX action. The AJAX action was missing the following 2 checks:

  • Whether or not the site allows registrations and
  • Whether or not the registration module has been activated by the administrator of the site.

The issue has been fixed in version 1.24.2 by adding the checks to see if registrations are open and if the registration form module has been activated.

How to Protect Your Elementor Pro Website?

Step One: Update the plugin(s)

The first step is to update both Elementor PRO and Ultimate Addons for Elementor to use the latest versions. After upgrading to the latest version, it’s time to monitor the site for suspicious user accounts and malicious files and folders.

Step Two: Review User Accounts

Check the users on your WordPress website to see if there are any new or suspicious users and delete all the malicious & suspicious user accounts.

Step Three: Manually inspect files and folders on your site

Access your site via FTP and look at your website files and see if there are any suspicious PHP files or unwanted files in your WordPress installation directory.

  1. Check for files named “wp-xmlrpc.php” and delete the same. In most of the cases this file will be in the root of your WordPress site.
  2. Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory. Make sure to visit all the folders in this directory. Some of the most common malicious files / file names in this directory can be:
    • wpstaff.php
    • demo.html
    • Read Mw.txt
    • config.json
    • icons-reference.html
    • selection.json
    • fonts.php

Step Four: Run a Complete Website Scan

After manually inspecting and deleting files and folders, run a complete website scan using Wordfence or WP Malware Scanner. These plugins will scan your WordPress install for malware, infections, security-threats, viruses, trojans, backdoors, malicious redirects, dolohen, code injections, etc. The website scan will help you in detecting infections which you may have missed while manually inspecting the files and folders.

Step Five: Professional Site Cleaning

If you are having issues with accessing your site or if there are indications of widespread infection you can engage our security team for professionally cleaning the infected site.