WordPress has released security patches on 9th March 2021 addressing a zero–day vulnerability that can be exploited in the plus addon for Elementor WordPress Plugin.
Summary
The privilege escalation vulnerability in the plus addon for Elementor WordPress was first identified on the 8th March 2021, the vulnerability found could allow an attacker to use an administrative account or create a new administrative user account on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.
Product Affected:
The plus_elementor_addon
SOLUTIONS:
It is recommended that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version suits the needs of the website, then switch to that in the meanwhile.
It is recommended that updates be installed immediately once they are available to protect against attacks.
For further information on this vulnerability kindly follow the below URL:
https://www.securityweek.com/vulnerability-allows-complete-wordpress-site-takeover-exploited-wild
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Vulnerability That Allows Complete WordPress Site Takeover.pdf
References