As reported by the Threat Intelligence team at Wordfence, reports of threat actors attempting to exploit the two issues in ongoing attacks had appeared as of May 6.
Elementor Pro
Elementor Pro is a paid plugin with an estimated number of over 1 million active installs, enabling users to quickly and easily develop WordPress websites from scratch, with the aid of a built-in theme builder, a visual form widget designer, and custom CSS support.
The Elementor Pro vulnerability is an RCE (Remote Code Execution) bug rated as Critical. It enables attackers with registered user access to upload arbitrary files to the affected websites and remotely execute code.
In order to preserve access to the compromised sites, attackers who successfully exploit this security issue can either install backdoors or webshells, obtain full admin access to completely compromise the site, or even entirely eliminate the site.
In case they are unable to register as users, they can exploit the second vulnerability in the over 110,000-site-installed Ultimate Addons for Elementor WordPress plugin, which will let them sign up as subscriber-level users on any site using the plugin even if us
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: