Security hole in Plus Addons for Elementor plugin was used in active zero-day attacks prior to a patch being issued. Bug (CVE-2021-24175) is a privilege-escalation and authentication-bypass issue that exists in this registration form function. It rates 9.8 on the CVSS vulnerability scale, making it critical in severity. Site admins should upgrade to version 4.1.1 of the plugin to avoid compromise, and they should check for any unexpected administrative users or plugins you did not install, researchers said.
Source: https://threatpost.com/cyberattackers-exploiting-critical-wordpress-plugin-bug/164663/