Critical Vulnerability Found on ‘Ultimate Addons for Elementor’ & ‘Ultimate Addons for Beaver Builder’ Plugins

Vulnerable Plugins: 

  • Ultimate Addons for Elementor
  • Ultimate Addons for Beaver Builder

Severity Level: 10

Exploitation Level: Very Easy

Vulnerability Disclosed: 11-12-2019

Patch Release Date: 11-12-2019

Patched Version:

  • Ultimate Addons for Beaver Builder –
  • Ultimate Addons for Elementor – 1.20.1

Ultimate Addons is a popular premium plugin that gives WordPress websites access to a bundle of add ons. It makes website creation and designs much easier especially for those who aren’t tech-savvy.

The plugin is built by Brainstorm Force who is expert developers. They have dozens of plugins which are being used by thousands of websites The Ultimate Addons plugin is available for Elementor and Beaver Builder and has hundreds of thousands of active installs.

Yesterday, during our regular security audits, our security researchers were surprised to discover a vulnerability in the plugins. It’s a major vulnerability that could allow hackers to gain admin access to any WordPress website that had the plugin installed. This means hackers can gain full control of your website if you are using the plugin and can create malicious files (like favicon.ico malware) to damage your site.

Being the first to discover the vulnerability, we carried out our own due diligence and contacted the Ultimate Addons team to inform them about the vulnerability that we found.

Team Brainstorm was prompt in fixing the vulnerability. They have released a patch within 7 hours and informed all their customers.

Are You Affected By This Vulnerability?

If you’re using the Ultimate Addons plugin, we urge you to update to the latest version immediately! The vulnerable version is 1.0. You need to update to the latest version released on 11th December 2019. 

  • For Ultimate Addons for Beaver Builder, the secure version is
  • For Ultimate Addons for Elementor, the secure version is 1.20.1.

If your website is using an older version, it will make your site vulnerable to hackers.

We have already detected this vulnerability being exploited. If you want to check if your website has been exploited, use our MalCare Security Plugin. It will scan your site and detect any suspicious or hacking activities on your site.

Vulnerability Details

Yesterday, our team saw unusual activity among websites. This led our team to find the vulnerability which was being exploited in a few sites.

The vulnerability we found occurs as soon as you install the plugin on your website. If a hacker knows the email ID of any user of a WordPress website, they can craft a special request and gain admin control.

To exploit the vulnerability, the hacker needs to use the email ID of an admin user of the site. In most cases, this information can be retrieved fairly easily. A few hosting providers also make it easy to find the admin email ID of a website. Hence we have reached out to hosting providers informing them about our discovery to minimize the potential damage.

Vulnerability Impact: What Are The Risks?

If this vulnerability was found by hackers, it could potentially put hundreds of thousands of WordPress sites at risk of being hacked!

If a hacker gains admin access, there’s no telling what they would use your website for. There’s a long list of common WordPress site hacks that they could run such as

Being hacked is extremely detrimental to your site and your business. Further, recovery costs can skyrocket very quickly!

IMPORTANT: Update The Plugin Immediately!

If you’re using the Elementor Ultimate Addons or Ultimate Beaver Builder plugin on your WordPress site, you need to update them right now. You can do this from your wp-admin dashboard.

wordpress updates
Dashboard > Updates

If for some reason you are unable to update them from the wp-admin dashboard, we strongly recommend installing the MalCare Security Plugin. From the independent MalCare dashboard, you can update the plugins on your website or delete them altogether.

MalCare dashboard
MalCare dashboard

If you want to update the plugin manually, here’s how you can do it:

  1. Download the latest version of the Ultimate Addons for Beaver Builder or login to Ultimate Addons for Elementor and download the latest version.
  2. Uninstall the previous version from your website. This means you need to deactivate and delete the plugin. (You won’t lose any data.)
  3. Next, upload and install the latest version of the Ultimate Addons that you just downloaded.

Has Your WordPress Website Already Been Hacked?

If you have been hacked already or suspect you’ve been hacked, we recommend leveraging MalCare’s malware detection and removal services immediately. Install the MalCare Security plugin and it will run a thorough scan of your website. If it finds any malware, you’ll be alerted. You can clean up the hack instantly with our auto-clean feature.

Malacre Auto-Clean
MalCare Auto-Clean

The automated process will clean up your hacked site in under a few minutes. Post that, MalCare will continue to provide you protection against hacks like these in the future.

Recommended read: How to clean WordPress theme hack.

Another malware that has been raking up the news is the WP-VCD malware. Here’s a guide on how to remove the WP-VCD malware.

Security is a continuous endeavour and needs to be monitored regularly. Follow MalCare for more updates on security.


Springzo is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Springzo distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap