Vulnerable Plugins: 

  • Ultimate Addons for Elementor
  • Ultimate Addons for Beaver Builder

Severity Level: 10

Exploitation Level: Very Easy

Vulnerability Disclosed: 11-12-2019

Patch Release Date: 11-12-2019

Patched Version:

  • Ultimate Addons for Beaver Builder – 1.2.4.1
  • Ultimate Addons for Elementor – 1.20.1

Ultimate Addons is a popular premium plugin that gives access to a package of add ons for WordPress websites. This makes the production of websites and designs much simpler, especially for those who are not tech-savvy.

Brainstorm Power, who are expert developers, designed the plugin. The Ultimate Addons plugin is available for Elementor and Beaver Creator and has hundreds of thousands of successful installations. They have dozens of applications that are used by thousands of websites.

Yesterday, our security analysts were shocked to find a flaw in the plugins during our routine security audits. It is a big weakness that will allow hackers to access any WordPress website that had the plugin enabled to obtain admin access. This means that if you are using the plugin, hackers will take complete control of your website.

We carried out our own due diligence as the first to find the vulnerability and contacted the Ultimate Addons team to tell them about the vulnerability we discovered.

In addressing the vulnerability, Team Brainstorm was prompt. They issued a patch and told all their customers within 7 hours.

Are You Affected By This Vulnerability?

We advise you to upgrade to the new edition immediately if you are using the Supreme Addons plugin! The version that is vulnerable is 1.0.0. You need to switch to the most recent update that was launched on December 11, 2019.

  • The stable version is 1.2.4.1 for Ultimate Addons for Beaver Constructor.
  • For Elementor Ultimate Addons, the stable version is 1.20.1.

If an outdated version is used on your website, it would make your website vulnerable to hackers.

We have already observed the abuse of this flaw. Using our MalCare Protection Plugin if you want to verify if your website has been exploited. Your site will be scanned and any illegal or hacking activity on your site will be detected.

Information of Vulnerabilities

Our team saw suspicious behaviour on websites yesterday. This helped our team to identify the weakness that was being abused in a number of places.

As soon as you instal the plugin on your website, the flaw we observed occurs. If a hacker knows every WordPress website user’s email ID, they will craft a special request to take control of the admin.

The hacker wants to use the email ID of an admin user of the site to exploit the vulnerability. This knowledge can be retrieved reasonably quickly in most situations. Often, a few hosting companies make it easy to locate a website’s admin email ID. Therefore to mitigate the possible harm, we have reached out to hosting providers to remind them about our discovery.

Effect of Vulnerability: What are the risks?

It could theoretically put hundreds of thousands of WordPress pages at risk of being compromised if this flaw was discovered by hackers!

There’s no idea what they will use the website for if a hacker gets admin access. They might run a long list of popular WordPress web hacks such as stealing information, redirecting visitors to spam pages, selling illicit and fraudulent goods, using the site to conduct hack attacks on larger sites, using black hat SEO methods to rate their own products (recommended reading-pharma hack), etc.

It is incredibly damaging to your platform and your organisation to be compromised. In comparison, rehabilitation expenditures will skyrocket very rapidly!

IMPORTANT: Automatically Upgrade the Plugin!

You need to update them right now if you are using the Elementor Ultimate Addons or Ultimate Beaver Creator plugin on the WordPress account. You can do this from your console at wp-admin.
If you cannot upgrade them from the wp-admin dashboard for any reason, we highly suggest downloading the MalCare Protection Plugin. You can upgrade the plugins on your website from the independent MalCare dashboard or delete them completely.

Here’s how you can do it if you want to change the plugin manually:

  • Download the newest update of Beaver Builder’s Ultimate Addons or login to Elementor’s Ultimate Addons and download the latest version.
  • Uninstall from your website the previous edition. This means that you need the plugin to be deactivated and removed. (Any details you won’t lose.)
  • Next, import and instal the most updated version of the Supreme Addons you’ve already downloaded.

Has Your WordPress Website Already Been Hacked?

Whether you have either been compromised or fear that you have been hacked, we suggest quickly using MalCare’s malware identification and removal services. Install the plugin for MalCare Protection and a comprehensive search of your website will run. If any ransomware is detected, you’ll be warned. With our auto-clean functionality, you can clean up the hack instantly.

In under a few minutes, the automated procedure will clean up your compromised site. After that in the future, MalCare will continue to give you protection from hacks like these.

The WP-VCD malware is another malware that has been haunting the headlines. Here’s a guide to how WP-VCD ransomware can be disabled.

Protection is a relentless endeavour and needs to be constantly tracked. For more updates on defence, follow MalCare.