1 Million Sites at Risk With Combined Attack on Elementor Pro and Ultimate Addons. On May 6th 2020, the threat intelligence team of Wordfence received reports of unusual activity of vulnerabilities in two related plugins, Elementor Pro and Ultimate Addons for Elementor.
They reviewed the log files of compromised sites to confirm this activity.
The attack is an ongoing attack so there is no absolute information as to what it can be. The severity of this attack is undetermined. They are still finding the details. Hence, they haven’t disclosed much just to alert the users so that they can protect themselves.
Which plugin has been affected by this attack
There are two plugins which have been affected. Elementor Pro which is made by Elementor. This plugin has a zero-day vulnerability which is exploitable if users have open registration.
The second affected plugin is Ultimate Addons for Elementor, which is made by Brainstorm Force. A vulnerability in this plugin allows the Elementor Pro vulnerability to be exploited, even if the site does not have user registration enabled.
We estimate that Elementor Pro is installed on over 1 million sites and that Ultimate Addons has an install base of roughly 110,000.
Users who have installed Elementor Pro will be affected by this. However, free version of its as of now unaffected which has over 4 million downloads. Whereas, Elementor Pro has 1 million downloads.
Read in details as to how it is going to affect your site and how you can protect yourself.