WordPress Ultimate Addons for Elementor fixed critical zero-day vulnerability

The WordPress Ultimate Addons for Elementor plugin fixed a critical zero-day vulnerability that could allow an unauthenticated user to gain administrator privileges via the AJAX API.

Here’s a sample log of the hacking attempt:

46.39.66.251 - - [10/Dec/2019:12:12:10 -0500] "GET / HTTP/1.0" 301 240 "xxxxxxxxxx.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:11 -0500] "GET / HTTP/1.0" 200 35421 "xxxxxxxxxx.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:12 -0500] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 1410 "https://www.xxxxxxxxxx.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:13 -0500] "GET /wp-admin/ HTTP/1.0" 200 116367 "https://www.xxxxxxxxxx.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:15 -0500] "GET /wp-admin/plugin-install.php HTTP/1.0" 200 124605 "https://www.xxxxxxxxxx.com/wp-admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:17 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.0" 200 68986 "https://www.xxxxxxxxxx.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:20 -0500] "GET /wp-admin/plugins.php?action=activate&plugin=seostatss%2Fseostats.php&_wpnonce=8e81b49b53 HTTP/1.0" 302 716 "https://www.xxxxxxxxxx.com/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:22 -0500] "GET /wp-admin/plugins.php?error=true&charsout=11&plugin=seostatss%2Fseostats.php&plugin_status=all&paged=1&s&_error_nonce=45461e89e8 HTTP/1.0" 200 124195 "https://www.xxxxxxxxxx.com/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
46.39.66.251 - - [10/Dec/2019:12:12:24 -0500] "GET /wp-xmlrpc.php HTTP/1.0" 200 8517 "https://www.xxxxxxxxxx.com/wp-admin/plugins.php?error=true&charsout=11&plugin=seostatss%2Fseostats.php&plugin_status=all&paged=1&s&_error_nonce=45461e89e8" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"

It shows that the attackers sent a POST request to the WordPress AJAX API and were immediately authenticated and logged in. Then, they uploaded a rogue plugin and started having fun with the blog. Scary!

This is NinjaFirewall’s log, which caught the attempt:

10/Dec/19 13:12:13  #2544597  INFO -  46.39.66.251  POST /wp-admin/admin-ajax.php - Logged in user - [xxxxxx (administrator)]
10/Dec/19 13:12:18  #4294996  INFO -  46.39.66.251  POST /wp-admin/update.php - Plugin uploaded by xxxxxx - [Name: tmp.zip]
10/Dec/19 13:12:21  #6760708  INFO -  46.39.66.251  GET /wp-admin/plugins.php - Plugin activated by xxxxxx - [Name: seostatss/seostats.php]

The plugin has two functions used for Google and Facebook oAuth API (get_google_data and get_facebook_data in “wp-content/plugins/ultimate-elementor/modules/login-form/module.php”) which didn’t validate the request as expected.
The 46.39.66.251 IP was involved in all attempts we’ve seen so far.

Recommendations

Update immediately if you are running version <1.20.1.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet