Security News

Two Wordpress Plugin Vulnerabilities, One a Zero-Day, Affect More Than 1.1 Million Sites

Researchers have discovered vulnerabilities, one a critical zero-day, in two Wordpress plugins installed on more than 1.1 million sites.

The zero-day affects the Elementor Pro plugin and is exploitable if users have open registration.

"An attacker able to remotely execute code on your site can install a backdoor or webshell to maintain access, gain full administrative access to WordPress, or even delete your site entirely," stated the Wordfence Threat Intelligence team in their report.

The zero-day is unpatched at the time of writing and, because of this, the researchers are excluding any further information.

The vulnerability in the second plugin - Ultimate Addons for Elementor - was recently patched in version 1.24.2. However, attackers can still use this vuln on unpatched sites to register as a subscriber.

"Then they use the newly registered accounts to exploit the Elementor Pro zero-day vulnerability and achieve remote code execution," said the researchers, who estimate that Elementor Pro is installed on more than one million sites and Ultimate Addons around 110,000.

Due to the fact this is an ongoing attack, researchers have limited the amount of information they are disclosing, but recommend that users:

1. Check for any unknown subscriber-level users on your site and remove those accounts

2. Check for files named 'wp-xmlrpc.php.' (considered an indication of compromise)

3. Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.

The Wordfence report is being updated as the incident unfolds.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Get weekly security news and vulnerability alerts

Join over 1,000 others receiving a free weekly report with a round-up of vulnerabilities and security news customised to your software stack. See an example email

Example email for SecAlerts

Earlier: