Elementor PRO is really a page builder for WordPress with approximately 1 million users. On the 4th of May, many websites had a suspicious subscriber registering to the website that logged in and were able to upload malicious attachments.
Split seconds later – another IP was attempting to access the attachments:
The POST request to the backdoor looks something similar to below. The backdoor allows the malicious user to execute any PHP function with any arguments they specify. In this type of scenario, they uploaded a file to a “tmp” directory with a particular payload that your malicious user may use to verify if the website has been successfully infected.
Array ( [c] => file_put_contents [a] => <?php echo 'abdslk'.'dkfjke'; ?> [f] => /tmp/.... [b] => )
Two different vulnerabilities exploited
The Elementor PRO vulnerability allowed any user to upload malicious files which result in remote code execution. It had been only possible to attack sites that had almost any registration open (which includes most WooCommerce stores, LMS sites, etc.).
Now the next vulnerability allowed the attacker to eliminate this limitation. A vulnerability in the Ultimate Addons For Elementor allowed the attacker to open the registration and continue with the Elementor PRO vulnerability exploitation.
Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload
The arbitrary upload vulnerability in the Elementor Pro plugin allowed any authenticated user, irrespective of their user role, to submit an AJAX request behind the scenes that allowed them to upload any files to the upload directory.
This function was missing a permission check and an effective file extension check which allowed the vulnerability to exist. This in conjunction with the registration bypass exploit (or open registration on the website), allowed hackers to easily exploit the mix of these issues to upload malware to the website. Since no suspicious payload was involved, most firewalls didn’t detect anything suspicious.
The issue was fixed in version 2.9.4 which added a permission and file extension check contrary to the upload action.
Ultimate Addons for Elementor < 1.24.2 – Registration Bypass
In order for a malicious user to exploit the arbitrary upload vulnerability, authenticated is necessary. In case a niche site doesn’t have registrations open to the general public and the best Addons for Elementor plugin has been installed, they are able to exploit the registration bypass vulnerability in the plugin to generate an account.
This issue exists in the registration form module, that is registered utilizing an AJAX action. This AJAX action was missing 2 checks: set up site allows registrations and set up module itself has been activated by the administrator of the website.
In version 1.24.2 of the best Addons for Elementor plugin, they added 2 checks: if registrations are open and when the registration form module has been activated. Only when it meets these 2 conditions does it process the request further down the chain.
Steps to take if you believe you’ve been affected
First, update both Elementor PRO and Ultimate Addons for Elementor to the most recent versions. Next, check the users on your own WordPress site and when there’s any new or suspicious users. When you have registrations open and several users sign-up to your internet site frequently, seek out the “Subscriber names” we’ve collected in the IOC section below.
After you have updated the plugins and deleted the malicious users, look at your websites files and see if you can find any PHP or other unwanted files in the /wp-content/uploads/elementor/custom-icons/ directory. Be sure to take a peek inside all of the folders within /wp-content/uploads/elementor/custom-icons/.
To ensure that the malware haven’t spread over the website, please follow the guide here.
List of indicators of compromise (IOC)
Here is a set of subscriber, file and folder names with IP addresses which are from the attacks.
Files within /wp-content/uploads/elementor/custom-icons/:
– Read Mw.txt
May 4th, 2020 – First attacks spotted in the wild
May 4th 2020 – Vulnerability fixed in Ultimate Addons for Elementor version 1.24.2
May 7th 2020 – Firewall rules and virtual patches released to all or any WebARX users
May 7th 2020 – Vulnerability fixed in Elementor PRO version 2.9.4