Hackers are exploiting security vulnerabilities in WordPress plugins. This is an active exploitation of the security bugs, which aims to remotely execute arbitrary code. Any registered user can create WordPress websites from scratch and upload arbitrary files, install a backdoor to maintain access, gain full administrative access or even delete site.
As explained by the researchers, it was a zero-day vulnerability. Critical severity bug existed in the Elementor Pro plugin, which has over one million active installations. Exploiting the bug allowed remote code execution attacks as any registered user could upload arbitrary files.
Hackers, even without the registered user access can exploit the second vulnerability plugin Ultimate Addons for Elementor by exploiting a registration bypass vulnerability. Ultimate Addons for Elementor is a WordPress plugin with over 110,000 installations. The hackers can exploit this bug directly on sites with open user registration, but Even if user registration is disabled, this vulnerability allows the attackers to register themselves as subscriber-level users on any website running the plugin.
In order to be protected from these ongoing attacks:
Update Elementor Pro to version 2.9.4, which fixes the remote code execution vulnerability.
Users of the Ultimate Addons for Elementor plugin need to upgrade to version 1.24.2.
In addition, Adcy.io recommends:
Lookout for any unknown subscriber-level users on your site. Eliminate accounts if the site has unidentified subscriber-level users, as it may have been compromised.
Lookout for files named “wp-xmlrpc.php. Remove unknown files or folders found in “/wp-content/uploads/elementor/custom-icons/” directory. As it is an indicator of compromise.