Learn how effective pillar pages and clustered content improve site structure, internal linking, and on-page SEO.
The third edition of Ranking Factors is finally here! It got a little makeover both in looks and content inside. And, for the first time, we’ve put all the factors into a sortable sheet to find the info you need, faster.
With CallRail’s VP of Product, Jason Tatum, we will also cover the past and future state of phone calls, and how you can use AI to gain valuable insights that will transform your business.Â
Dive into the future of paid search and explore the trends, strategies, and technologies that will shape the search marketing landscape.
Dive into the future of paid search and explore the trends, strategies, and technologies that will shape the search marketing landscape.
With CallRail’s VP of Product, Jason Tatum, we will also cover the past and future state of phone calls, and how you can use AI to gain valuable insights that will transform your business.Â
Zero Day total site takeover exploit discovered in popular WordPress plugin for Elementor page builder
Updated: The Plus Addons for Elementor has been fully patched in version 4.1.7 on March 9, 2021 to close the vulnerability and make the plugin secure.
A Zero Day vulnerability has been discovered in the WordPress Plus Addons for Elementor. The exploit allows a full-site takeover. Security researchers recommend immediately disabling the plugin to avoid being hacked.
The exploit is not present in Elementor itself, it’s in a popular plugin that extends Elementor.
A zero day vulnerability is a vulnerability that hackers know about but for which the software developer does not have a patch to stop it.
Normally a vulnerability is discovered and the software developer has time to fix it before the flaw is discovered by hackers.
In a typical zero day vulnerability scenario the flaw is known and actively being exploited by hackers while the software developers are racing to discover what the exploit is.
This is why zero day vulnerabilities are considered to be of high concern because websites are liable to be hacked in the time between the vulnerability is discovered and a patch is released.
The Plus Addons for Elementor is a suite of over one hundred widgets, templates and blocks that extends the design possibilities for sites that use the Elementor page builder plugin.
Elementor is a page builder plugin that extends the native WordPress editor to make it easier to create attractive websites.
The vulnerability is not on Elementor though. The vulnerability exists on a plugin that extends the design capabilities of Elementor.
There are two kinds of Plus Addons for Elementor plugins. There’s a free version and a paid version.
The flaw does not exist in the free version. So if you’re operating with the free version of the addon, then your site is safe.
The paid version of the plugin is unsafe.
According to Wordfence security researchers, the registration and login widget modules of the plugin are the attack vector.
“If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being.
If your site’s functionality is dependent on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.”
It was later discovered that disabling the WP Login & Register widget is not enough to prevent being hacked.
“…the vulnerabilities are still exploitable even if the “WP Login & Register” widget is disabled. For that reason, we recommend temporarily deactivating and removing the plugin until a patch has been released.”
The plugin developer is hard at work creating a patch. An initial patch was swiftly released but WordFence researchers confirmed that it did not fully harden the plugin against the exploit.
As related above, Wordfence recommends completely deactivating and removing the plugin. If there are site functions that depend on the plugin, it’s possible to install the free version temporarily until a patch is published.
It may not be prudent to take a chance and wait for a patch because the flaw is actively being exploited.
Critical 0-day in The Plus Addons for Elementor Allows Site Takeover
Roger Montti is a search marketer with over 20 years experience. I offer site audits and phone consultations. See me ...
Conquer your day with daily search marketing news.
Join Our Newsletter.
Get your daily dose of search know-how.
In a world ruled by algorithms, SEJ brings timely, relevant information for SEOs, marketers, and entrepreneurs to optimize and grow their businesses -- and careers.
Copyright © 2023 Search Engine Journal. All rights reserved. Published by Alpha Brand Media.
source
