Connect with us


The Plus Addons for Elementor Critical Vulnerability via @martinibuster



A Zero Day vulnerability has been discovered in the WordPress Plus Addons for Elementor. The exploit allows a full-site takeover. Security researchers recommend immediately disabling the plugin to avoid being hacked.

The exploit is not present in Elementor itself, it’s in a popular plugin that extends Elementor.

Zero Day Vulnerability

A zero day vulnerability is a vulnerability that hackers know about but for which the software developer does not have a patch to stop it.

Normally a vulnerability is discovered and the software developer has time to fix it before the flaw is discovered by hackers.


Continue Reading Below

In a typical zero day vulnerability scenario the flaw is known and actively being exploited by hackers while the software developers are racing to discover what the exploit is.

This is why zero day vulnerabilities are considered to be of high concern because websites are liable to be hacked in the time between the vulnerability is discovered and a patch is released.

The Plus Addons for Elementor Exploit

The Plus Addons for Elementor is a suite of over one hundred widgets, templates and blocks that extends the design possibilities for sites that use the Elementor page builder plugin.

Elementor is a page builder plugin that extends the native WordPress editor to make it easier to create attractive websites.

The vulnerability is not on Elementor though. The vulnerability exists on a plugin that extends the design capabilities of Elementor.


Continue Reading Below

What is the Plus Addons for Elementor Vulnerability?

There are two kinds of Plus Addons for Elementor plugins. There’s a free version and a paid version.

The flaw does not exist in the free version. So if you’re operating with the free version of the addon, then your site is safe.

The paid version of the plugin is unsafe.

Paid Version of Plus Addon is Vulnerable

According to Wordfence security researchers, the registration and login widget modules of the plugin are the attack vector.

“If you are using The Plus Addons for Elementor plugin, we strongly recommend that you deactivate and remove the plugin completely until this vulnerability is patched. If the free version will suffice for your needs, you can switch to that version for the time being.

If your site’s functionality is dependent on this plugin, we recommend completely removing any registration or login widgets added by the plugin and disabling registration on your site. No patched version is available at the time of this publication.”

It was later discovered that disabling the WP Login & Register widget is not enough to prevent being hacked.

“…the vulnerabilities are still exploitable even if the “WP Login & Register” widget is disabled. For that reason, we recommend temporarily deactivating and removing the plugin until a patch has been released.”

A Patch is in the Works – But Take Action Now

The plugin developer is hard at work creating a patch. An initial patch was swiftly released but WordFence researchers confirmed that it did not fully harden the plugin against the exploit.

Take Action Now

As related above, Wordfence recommends completely deactivating and removing the plugin. If there are site functions that depend on the plugin, it’s possible to install the free version temporarily until a patch is published.

It may not be prudent to take a chance and wait for a patch because the flaw is actively being exploited.


Critical 0-day in The Plus Addons for Elementor Allows Site Takeover


Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster



Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”


Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.


Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.


Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Continue Reading

Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address