Attackers Hit the Bull’s Eye, Exploit Popular WordPress Plugins

Lately, the popular content management system (CMS), WordPress, has become one of the most lucrative and profitable targets for hackers. Cybercriminals are vigorously exploiting security vulnerabilities in WordPress plugins with an aim to remotely execute arbitrary code and compromise unpatched targets.

All about the security vulnerabilities

Elementor Pro is a paid WordPress plugin with over one million active installations. Using the plugin, users can easily create WordPress websites from scratch.

  • Rated as ‘critical,’ the Elementor Pro vulnerability is a remote code execution bug that enables hackers with registered user access to upload arbitrary files on the targeted sites and execute code remotely.
  • After exploiting this security flaw, attackers can install backdoors or webshells to control access to the impacted sites, gain complete admin access to compromise it, or expunge the entire website.

Ultimate Addons for Elementor is a WordPress plugin with over 110,000 installations.

  • The hackers without the registered user access can exploit the second vulnerability which is seen in Ultimate Addons for Elementor plugin.
  • Even if user registration is disabled, this vulnerability allows the attackers to register themselves as subscriber-level users on any website running the plugin.
  • Furthermore, they use the newly registered accounts to draw on the Elementor Pro [..] vulnerability and execute code execution remotely.

Has your site been compromised?

  • If your site has unidentified subscriber-level users, it may have been compromised as a part of this active campaign. If so, eliminate those accounts.
  • You can check your site for files named “wp-xmlrpc.php” which is an indicator of compromise.
  • You can discard unknown files or folders found in “/wp-content/uploads/elementor/custom-icons/” directory. Files located in this directory indicates a compromise.

WordPress in on the hook

  • On April 28, 2020, a series of attacks were observed either redirecting visitors to malvertising sites or installing backdoors in cases where site administrators were logged in. Targeting over 900,000 WordPress sites, no less than 24,000 IP‌ addresses were used to send malicious requests.
  • More than 20 million attacks were launched against over half a million WordPress sites on May 3, 2020.

Update to the latest versions

  • In order to protect yourself from these ongoing attacks, you can update Elementor Pro to version 2.9.4, which fixes the remote code execution vulnerability.
  • Users of the Ultimate Addons for Elementor plugin need to upgrade to version 1.24.2.