Chloe Chamberland, over at Wordfence, Critical 0-day in The Plus Addons for Elementor Allows Site Takeover:
Today, March 8, 2021, the Wordfence Threat Intelligence team became aware of a critical 0-day in The Plus Addons for Elementor, a premium plugin that we estimate has over 30,000 installations. This vulnerability was reported this morning to WPScan by Seravo, a hosting company. The flaw makes it possible for attackers to create new administrative user accounts on vulnerable sites, if user registration is enabled, along with logging in as other administrative users.
As of publication, this remains unpatched.