Critical Vulnerability In Ultimate Addons For Elementor & Ultimate Addons for Beaver Builder Plugins
Updated: December 19, 2019 by Oliver Sild
This article covers one identical vulnerability in two different plugins:
1) Ultimate Addons for Elementor <= 1.20.0 – Authentication Bypass (wpvulndb)
2) Ultimate Addons for Beaver Builder <= 1.24.0 – Authentication Bypass (wpvulndb)
We started the analysis of this attack on the 11th of December when one of our customers was addressing the unexpected behavior in WebARX activity logs. We’ve learned over the forensics that the attackers have been targeting websites with Ultimate Add-ons Elementor plugin since the 10th of December.
Attackers are abusing a vulnerability within the plugin to log in to an existing account, uploading tmp.zip file to install fake Seo stats plugin which will then add a wp-xmlrpc.php backdoor to the root directory of the vulnerable website. After the infection, multiple IP’s try to access the wp-xmlrpc.php file.
Here is the attacker’s activity looked from logs:
[10/Dec/2019:17:01:27 +0000] 46.39.66.251 - arxarxarx.com "GET / HTTP/1.1" 200 19573 "arxarxarx.com" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[10/Dec/2019:17:01:33 +0000] 46.39.66.251 - arxarxarx.com "POST /wp-admin/admin-ajax.php HTTP/1.1" 403 33 "https://arxarxarx.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[11/Dec/2019:10:35:47 +0000] 46.39.66.251 - arxarxarx.com "GET /wp-admin/ HTTP/1.1" 200 48090 "https://arxarxarx.com/wp-admin/admin-ajax.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[11/Dec/2019:10:35:52 +0000] 46.39.66.251 - arxarxarx.com "GET /wp-admin/plugin-install.php HTTP/1.1" 200 44740 "https://arxarxarx.com/wp-admin/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[11/Dec/2019:10:36:06 +0000] 46.39.66.251 - arxarxarx.com "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 35471 "https://arxarxarx.com/wp-admin/plugin-install.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[11/Dec/2019:10:36:17 +0000] 46.39.66.251 - arxarxarx.com "GET /wp-admin/plugins.php?action=activate&plugin=seostatss%2Fseostats.php&_wpnonce=arxarxarx HTTP/1.1" 302 5 "https://arxarxarx.com/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[11/Dec/2019:10:36:29 +0000] 46.39.66.251 - arxarxarx.com "GET /wp-admin/plugins.php?error=true&charsout=11&plugin=seostatss%2Fseostats.php&plugin_status=all&paged=1&s&_error_nonce=arxarxarx HTTP/1.1" 200 67862 "https://arxarxarx.com/wp-admin/update.php?action=upload-plugin" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
[11/Dec/2019:10:36:30 +0000] 46.39.66.251 - arxarxarx.com "GET /wp-xmlrpc.php HTTP/1.1" 200 329 "https://arxarxarx.com/wp-admin/plugins.php?error=true&charsout=11&plugin=seostatss%2Fseostats.php&plugin_status=all&paged=1&s&_error_nonce=arxarxarx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"Later, multiple IP addresses were pinging for /wp-xmlrpc.php:
[12/Dec/2019:05:49:06 +0000] 208.87.233.140 - arxarxarx.com "GET /wp-xmlrpc.php HTTP/1.1" 404 178 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24"
[12/Dec/2019:05:49:10 +0000] 64.233.172.45 - arxarxarx.com "GET /wp-xmlrpc.php HTTP/1.1" 404 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon"
[12/Dec/2019:06:58:37 +0000] 82.102.27.74 - arxarxarx.com "GET /wp-xmlrpc.php HTTP/1.1" 401 574 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
[12/Dec/2019:07:00:08 +0000] 196.55.2.2 - arxarxarx.com "POST /wp-xmlrpc.php HTTP/1.1" 403 146 "-" "python-requests/2.18.4"The attacks seemed to have peaked on 14th of December when additional IP’s started to exploit the vulnerability:
Authentication Bypass
The vulnerable version of the plugin has a feature that allows people to log in using a regular username/password combination, Facebook and Google.
However, the Facebook and Google authentication methods did not verify the token returned by Facebook and Google and since they don’t require a password, there was no password check.
Patched code on the left, vulnerable code on the right.
This allowed malicious actors to log in to any user account (including admin) on the website that has a vulnerable version of one of those plugins installed without the password – causing full authentication bypass.
The vulnerability has been fixed on version 1.20.1 for Ultimate Addons for Elementor and on version 1.24.1 for Ultimate Addons for Beaver Builder.
You can find the official statements here:
1) Ultimate Addons for Elementor
https://uaelementor.com/security-update-1201/
2) Ultimate Addons for Beaver Builder
https://www.ultimatebeaver.com/security-update-1241/
We encourage everyone to update the plugins on their websites in a timely manner and if possible, enable auto-updates. If you have one of those plugins installed, please update them immediately.
IOCs connected to the attacks:
– 46.39.66.251 (original IP that started the exploitation)
– 37.120.135.175 (second IP that begun exploitation on the 12th of December)
– 185.238.1.151
– 173.212.223.130
– 185.238.1.147
– 195.123.227.37
– tmp.zip (zip file that is used to install the fake plugin)
– wp-xmlrpc.php (backdoor that is placed to the websites root directory)
All WebARX users have virtual patches deployed to their sites and the vulnerable function is blocked by WebARX firewall.
Protect Websites Against Plugin Vulnerabilities
Start for free
We’re still actively monitoring the situation and updating the article. If your site has already been affected, please reach out to us via live support chat or send an email to support@webarxsecurity.com
