WordPress sites attacked via 0-day leak in Elementor add-on


An estimated 30,000 WordPress sites are at risk of being caught by cybercriminals due to a zero-day leak in an add-on to the Elementor plug-in. The vulnerability is under active attack and a security update is not yet available. The vulnerability could allow an attacker to take full control of the website.


The vulnerability is present in The Plus Addons for Elementor. Elementor is a so-called "page builder" plugin that replaces the standard WordPress editor. It offers users more freedom and options for designing their WordPress site and introduces all kinds of additional functionality. The Plus Addons is a paid extension for Elementor that adds various widgets that can be used in combination with Elementor. About 30,000 WordPress sites would use it, reports security company Wordfence .


One of these widgets, for registering and logging in users, contains a vulnerability. This vulnerability was rated 9.8 in severity on a scale of 1 to 10. The vulnerability allows an attacker to create new administrators or log in as existing administrators. In the attacks now observed, attackers add their own accounts as administrators. The vulnerability was discovered by WPScan . As long as no patch is available, details will be withheld.

Previous Post Next Post