Security News > 2021 > March > Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild

Vulnerability That Allows Complete WordPress Site Takeover Exploited in the Wild
2021-03-09 15:31

A critical vulnerability identified in The Plus Addons for Elementor WordPress plugin could be exploited to gain administrative privileges to a website.

With more than 30,000 installations to date, The Plus Addons for Elementor is a premium plugin that has been designed to add several widgets to be used with the popular WordPress website builder Elementor.

All users of The Plus Addons for Elementor plugin are advised to deactivate and remove the plugin until a fix has been delivered for this zero-day.

The researchers also note that the free version of the plugin, namely The Plus Addons for Elementor Lite, is not affected by the same vulnerability.

"It should be noted that this vulnerability can still be exploited even if you do not have an active login or registration page that was created with the plugin. This means that any site running this plugin is vulnerable to compromise," Wordfence says.

"We believe that attackers are adding user accounts with usernames as the registered email address based on how the vulnerability creates user accounts, and in some cases installing a malicious plugin labeled wpstaff. We strongly recommend checking your site for any unexpected administrative users or plugins you did not install," Wordfence concludes.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/ljDb3o36OgA/vulnerability-allows-complete-wordpress-site-takeover-exploited-wild

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 93 44 18 157