Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.
The Plus Addons for Elementor Lite, the free version by the same developer, does not appear to be vulnerable to this exploit.
None of the sites currently under management by ProtectYourWP.com are affected by this bug.