WordFence is reporting that Elementor Pro has a Critical Zero Day vulnerability exploit. This vulnerability has just been patched today, May 7, 2020. Unpatched versions are reportedly actively being exploited.
Elementor just released Pro version 2.9.4, which contains the fix for the critical file upload vulnerability
Two Elementor Plugins Are Vulnerable
According to WordFence there are two plugins involved that each have a vulnerability.
Elementor Pro is a Vulnerable Plugin
Elementor Pro is the paid version of the Elementor WordPress page builder plugin. This vulnerability does not affect the free version of the Elementor plugin.
The vulnerability is rated as “critical” according to WordFence.
A hacker would need to be registered with the website in order to take advantage of the vulnerability.
If you run an Elementor Pro powered WordPress website and you allow site visitors to register in order to comment or contribute to the site, then you may be vulnerable.
If however your Elementor Pro WordPress site does not have registered users you may still be at risk.
The reason you may still be at risk is because another plugin Ultimate Addons for Elementor, allows a hacker to register as a subscriber even if registration is prohibited.
That means that the Ultimate Addons for Elementor plugin allows a hacker to hack Elementor Pro.
According to WordFence:
“Due to the vulnerability being unpatched at this time, we are excluding any further information.
We have data via another vendor that indicates the Elementor team are working on a patch. We have contacted Elementor and did not immediately receive confirmation of this before publication.”
Ultimate Addons for Elementor Vulnerability
The second plugin that is vulnerable is the Ultimate Addons for Elementor plugin. The vulnerability allows a hacker to take advantage of the Elementor Pro vulnerability if user registration is turned off.
At this moment there is a newly released patch available to fix the Elementor Pro vulnerability. Update Elementor Pro to version 2.9.4 to be protected.
There is also a patch to fix the Ultimate Addons for Elementor plugin (instructions here).
By upgrading the Ultimate Addons plugin (if you have it installed) you can in theory block a hacker from exploiting an Elementor Pro site, as long as user registrations are prohibited.
How to Protect Your Elementor Pro Website
WordFence recommends updating Elementor Pro to version 2.9.4.
Once Elementor Pro is updated you will be safe from hacking.
Read the WordFence announcement:
Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk