If the free version will suffice for your needs, you can switch to that version for the time being. If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. Wordfence users still using the free version will receive protection on April 7, 2021.
Wordfence Premium customers received a rule on Mato protect against active exploitation of this vulnerability. The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.
This vulnerability was reported this morning to WPScan by Seravo, a hosting company. Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. We will update this post once a fully sufficient patch has been released. We are in contact with the developer and they are working quickly on the additional fixes required, we expect a new patch will be released shortly. The plugin developer released a partially patched version of the plugin (4.1.6) shortly after our disclosure, however, the update does not fully address the vulnerability. UPDATE 1: As of March 9th, 2021, the vulnerability is still not fully patched. Special thanks to the plugin developers for working as quickly as possible to resolve these issues. We highly recommend updating to this version immediately to keep your sites secure.
UPDATE 2: As of late March 9th, 2021, the vulnerabilities have been fully patched in version 4.1.7.
0 kommentar(er)
