Update: Elementor Pro has released version 2.9.4 to patch the vulnerability as of May 7, 2020. The maker of the Ultimate Addons -Brainstorm Force- has also released the patched version, version 1.24.2. If you are using Elementor Pro or the Ultimate Addons plugin please update to this version immediately.
Attacks on WordPress sites using Elementor Pro and the Ultimate Addons for Elementor are the result of vulnerabilities in both of these plugins. If you use these plugins then you should take immediate action to protect your site from being hacked. If you have not already done so, make sure you do the following:
- Back up your site
- Update your Elementor and Ultimate Addons plugins to the latest version
- Update your security software (if you are using an application) – check with your plugin developer to make sure they have addressed this issue
What are the Vulnerabilities Being Exploited?
Elementor Pro (version 2.9.3 or lower) has a zero-day vulnerability which makes the application open to exploitation if users are set to open registration.
A zero day vulnerability is a flaw in the software that immediately effects the application.
The Ultimate Addons for Elementor (version 1.24.1 or lower) plugin by Brainstorm Force has a flaw that allows the Elementor Pro vulnerability to be exploited even if users are not set to open registration.
As of the date of this article, both plugins have been updated to patch the vulnerability. Update your plugins immediately to prevent any possible hacks to your site from these vulnerabilities. Note that this exploit does not affect the free version of Elementor.
What can you do now?
There are a number of steps that you can take if you suspect your site has been hacked. Backup is a preventative measure that should be put in place when you know your code has not been compromised. However, it is still the number one measure that should be part of any emergency response plan for your website endeavors. If for some reason you cannot immediately apply the patch:
- Downgrade to an earlier version of the plugins
- Backup your current version (don’t overwrite any existing backups), then restore an earlier version of your site if you have one. You should still update your plugins as soon as possible
- Check your WordPress Users to make sure you don’t have any unknown users that have been added through the exploit
- Consult with a security agency like Sucuri or WordFence to help clean up your site
We hope that this helps to bring this security issue to your attention if you are an Elementor Pro user. If you want to learn more about WordPress on topics like recommended plugins, then please see our WordPress Education channel.