Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together.
Despite only having an estimated install count of roughly 30,000 sites, nearly 60% of which should now be running a patched version of the plugin, over 2.8 million sites protected by Wordfence have been targeted by this campaign since April 8, 2021. It is likely that these numbers are reflected by the larger WordPress ecosystem as a whole and that millions of sites that are not protected by Wordfence are also being attacked.
The original vulnerability was already being actively attacked when it was reported by hosting company Seravo, making it a 0-day at the time. This vulnerability allowed attackers to login as an administrator or to create new administrative accounts on any site with the plugin installed. While analyzing the plugin, the Wordfence Threat Intelligence team found additional vulnerabilities and notified the plugin’s developer. A firewall rule protecting against these vulnerabilities was released to our premium users on March 8, 2021, and became available to free users on April 7, 2021.