The Elementor Pro plugin for WordPress is prone to a critical zero-day vulnerability affecting version 2.9.3 and below.
Update: Elementor Pro 2.9.4 has been released in order to fix the vulnerability.
The vulnerability, currently exploited by hackers, allows any logged-in user to upload and execute PHP scripts on the blog. Note that this affects the Elementor Pro version, not the free one from the wordpress.org repo.
After receiving some scary log samples from a NinjaFirewall user, we quickly reviewed the Elementor Pro installation and spotted the vulnerability before forwarding all info to the authors, yesterday May 06th.
The vulnerability has been exploited at least since May 05th, 2020.
Note that on websites running the Apache HTTP server with the mod_headers module enabled hackers do not seem to be able to execute the code because of a .htaccess restriction (they can still upload their backdoor, though).
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability since May 06th, 2020 (users running our firewall in “Full WAF” mode were already protected because it won’t allow the execution of PHP scripts in the “wp-content/uploads/” folder used by the attackers).
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet