The Plus Addons for Elementor, is another of the many plugins that extend the capabilities of Elementor. I don't mention it on the Elementor course nor here on How to make a websitebecause I think there are plenty of other more interesting ones to talk and write about.

However, I know that a good portion of you like to experiment and test everything that falls into your hands. Then we have WordPress with obesity level 1, 2 or even 3. I advise against it, but you don't always listen to me 😉

On 8 March Seravo and WP Charged reported a critical vulnerability in the Plus Addons for Elementor plugin, WPScan classified it as an authentication bypass vulnerability. What does this mean in plain language?

The plugin is used by hackers to bypass authentication, allowing you to log in as any user including the administrator! All you need to do is provide the associated username. You can also create new accounts with any role even if registration is disabled in WordPress settings. Thick.

If you are using this plugin but in the free version you can take a breather at this point as this devastating vulnerability applies to the PRO version. I also emphasize that it applies to this particular plugin and not Elementora.

The authors of the plug-in first released a quick fix, which partially eliminated the problem, and then version 4.1.7 appeared, which, according to claims, removes the vulnerability completely.

Wordfence reports that they are still blocking attack attempts on sites that use unpatched versions of the plugin. They have blocked nearly 10,000 attack attempts on sites that have not updated the plugin.

For several days there was a vulnerability that nobody knew about, except of course the person who found it and started exploiting it. It is estimated that it was a period of about 5 days and during that time many sites were affected.

Those whose projects were exploited saw malicious administrative accounts created. Others found a state where every URL on their sites redirected somewhere else. Attackers also installed malicious plugins called "WP Strongs" and "WP Staff". Those who can't access the admin panel may have trouble removing them, but: "How to disable the plug-in when you cannot log into the panel".

Elementor users who have the Plus Addons for Elementor plugin installed should update to the latest version and check for other malicious plugins and files.

Ideally, site owners who fall victim to exploits should have a backup of their site to restore. Chamberland of WordFence has posted a Wordfence Live broadcast, taking users through a manual cleanup of attacked sites, including replacing the wp-include and wp-admin folders, along with standard files. The recording may be helpful to those trying to remove the damage.


See also

Elementor PRO 3.3

2 new widgets in Elementor PRO 3.3

Elementor released a beta version of the upcoming Elementor PRO 3.3 release a few days ago, and as always you'll find a lot of fixes, but also some new features. The new features are two

Which page builder the website uses

In which wizard was the page made?

If you happen to find a website on the Internet that you like very much and you would like to check which website builder it was created in, you can use

Free information on JZS news

I invite you to become a subscriber! Thousands of readers already subscribe to news from JZS.

You can unsubscribe at any time. Your address is safe here.

Featured LifeTime Offers!

WriterZen LTD

Find niche phrases and create content that is perfectly optimised for...

Scalify LTD

Create ads, publish them and increase conversions for Facebook campaigns,...


Email Marketing Automation. Increase the effectiveness of your campaigns.

Leave a Reply

Your email address will not be published. Required fields are marked *