logo
DATABASE RESOURCES PRICING ABOUT US

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

Description

The plugin was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active. The vendor was notified by the two reporters: \- On March 6th, 2021 by Seravo, which was answered on March 7th, and the vulnerability acknowledged on March 9th. \- On March 7th and 8th 2021 by WP Charged who saw the attacks start on March 5th, 2021. We (WPScanTeam) escalated to issues to Envato on Match 8th, 2021 after confirming them and finding another similar authbypass issue. The free version of the plugin on the WordPress repository did not seem affected by this issue.


Related