Security researchers have shared details about a large-scale attack campaign targeting a set of critical vulnerabilities in The Plus addons for the popular Elementor (opens in new tab) Pro WordPress website builder (opens in new tab).
Web hosting (opens in new tab) company Seravo first reported the zero-day vulnerabilities in the third-party WordPress plugins (opens in new tab), which were already being exploited. Using the exploit, malicious users are able to log in as administrator or create new administrative accounts on any affected site.
The privilege escalation vulnerabilities in the addons are being tracked by Wordfence (opens in new tab), which develops a WordPress security plugin (opens in new tab) of the same name. While analyzing the plugin, the Wordfence security researchers found additional vulnerabilities and notified the developer.
- These are the best WordPress SEO plugins (opens in new tab)
- And here are the best Premium WordPress themes (opens in new tab)
- We’ve also rounded up the best cloud hosting providers (opens in new tab)
Although the vulnerabilities have already been patched, according to Wordfence there has been no let-up in the attacks.
Unusual campaign
Over the past ten days, Wordfence claims to have blocked over 14 million attacks that hunt for websites using unpatched versions of the vulnerable addons.
This is surprising because the addons are used on only about 30,000 websites, of which nearly 60% are thought to have upgraded to the patched version.
“This campaign is notable in that it is targeting a recent vulnerability and, therefore, has a higher chance of success than the other campaigns we’ve seen recently," said Wordfence.
"It is also unusual in that it is a set of sustained attacks, whereas attack spikes we’ve seen in the past have typically only lasted a few days before subsiding."
To shield against attack, affected WordPress users are advised to install the relevant patches immediately.
- Check our list of the best WordPress hosting providers (opens in new tab)