Heads up, WordPress admins! A critical zero-day bug existed in the Plus Addons for Elementor plugin. Since the developers have released the fix, make sure to update your websites at the earliest with plugin version 4.1.7.
Zero-Day Bug In Plus Addons For Elementor
Wordfence, the security team following up vulnerable WordPress plugins, has found a serious vulnerability in another plugin. This time, they have reported a critical zero-day vulnerability affecting the WordPress plugin Plus Addons for Elementor.
As elaborated in their post, the researchers found a privilege escalation vulnerability in the plugin function that allowed adding a widget for user login and registration on Elementor. Due to this, the bug allowed an adversary to create admin accounts on the target websites.
While Wordfence preferred to not disclose more details of the bug due to its active exploitation, they still explained,
Unfortunately, this functionality was improperly configured and allowed attackers to register as an administrative user, or to log in as an existing administrative user.
It should be noted that this vulnerability can still be exploited even if you do not have an active login or registration page that was created with the plugin. This means that any site running this plugin is vulnerable to compromise.
The vulnerability received the CVE ID CVE-2021-24175 and a CVSS score of 9.8.
Patch Rolled Out
Upon discovering the bug recently, Wordfence reached out to the plugin developers. In response, the dev team started working on a fix that they first deployed partially with version 4.1.6, followed by a full patch deployed with plugin version 4.1.7.
The Plus Addons for Elementor plugin presently boasts 30,000+ installations. It means the vulnerability potentially threatens the security of thousands of websites globally. Hence, all site admins using this plugin should ensure to update their websites with the latest plugin version at the earliest.
Notably, this vulnerability only affected the premium plugin version. Its free version, The Plus Addons for Elementor Page Builder Lite, remained unaffected by this bug.