Critical 0-day in the Plus addons for Elementor allowing full site take over

Update: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7

Yesterday March the 8th 2021, the Hosted WP team became aware of a critical 0-day in the Plus Addons for Elementor. This flaw was reported to WPscan by Seravo which is a hosting company. The premium plugin has an estimate of over 30,000 active installations. The flaw makes it possible for attackers to create a new administrative user account on vulnerable sites if user registration is enabled.

The Plus Addons for Elementor Lite, which is the free version does not appear to be vulnerable to the exploit.

Description: Privilege Escalation
Affected Plugin: The Plus Addons for Elementor
Plugin Slug: theplus_elementor_addon
Affected Versions: <= 4.1.5
CVE ID:2021-24175
CVSS Score: 9.8 (Critical)
Fully Patched Version: Currently unpatched.

If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being. If your site’s functionality is dependent on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.

If you would like assistance or would like to find out more please contact us

More technical information can be found at wpscan

About the author

David Sullivan
Owner of Hosted WP.

Personal Blog at https://sulli.blog