(1 votes, average: 5.00 out of 5)
A critical vulnerability has been discovered in the extensively used Elementor Pro WordPress Plugin. Hackers are constantly attempting to leverage the flaw, which affects versions before v3.11.6 and affects over eleven million websites. This Threat feed will dig deeply into the vulnerability’s details and consequences.
Elementor Pro is a WordPress page builder tool that helps users to create professional-looking websites without learning how to code. It includes drag and drop, a template library, theme building, and a WooCommerce builder.
NinTechNet researcher Jerome Bruandet found this vulnerability on March 18, 2023, and provided technical information about how the flaw can be abused when set up alongside WooCommerce.
The Elementor Pro flaw is exceptionally dangerous because it enables attackers to breach security measures and obtain access to the website’s backend.
According to the researcher, the vulnerability is caused by faulty control of access on the WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), which allows anyone to change WordPress settings in the database without adequate verification.
The flaw can be exploited due to poorly designed input validation and the deficiency of capability controls in the weak AJAX action or pro_woocommerce_update_page_option.
Bruandet briefly explained this in a technical article about the issue. “An authenticated attacker can use the vulnerability to create an administrator account through registration and setting the default role to “administrator,” alter the email address of the administrator, or reroute all incoming traffic to a malicious website by changing the site URL.”
It is essential to note that to abuse the specific vulnerability, the WooCommerce plugin, which triggers the corresponding susceptible module on Elementor Pro, must be downloaded on the site.
According to WordPress security company “PatchStack,” malicious users are vigorously exploiting the Elementor Pro plugin bug to reroute legitimate users to harmful sites or upload backdoors to the compromised site. Moreover, PatchStack has uncovered that the backdoors uploaded to implement the attack name as wp-rate.php or lll.zip, wp-resortpark.zip. “BleepingComputer” discovered a copy of the lll.zip archive, which includes a PHP script that enables an external attacker to upload more documents to the hacked server.
This backdoor would grant the intruder complete access to the WordPress site, allowing them to take data or upload destructive malicious code. The majority of attacks on vulnerable websites are launched from three IP addresses: 220.127.116.11, 18.104.22.168, and 22.214.171.124.
Fortunately, WordPress Elementor Pro Vulnerability was patched on March 22nd, just four days after it was found and put forward to the authors. Patchstack, on the other hand, reports ongoing exploitation from multiple IP addresses, files being uploaded to more vulnerable sites, and site URLs moving to malicious user-controlled locations.
To avoid becoming a victim of this security flaw, it is essential to update to the most recent version of Elementor Pro, 3.11.7, or later as soon as possible. It is also recommended that the three IP addresses (above-mentioned IP addresses) be added to a block list.
This is not the first time hackers have attacked WordPress plugins. WordPress was compelled to carry out a forced upgrade of the WooCommerce Payments plugin, which is used by online shops, last week.
As per the official statement from Elementor Pro, the vulnerability was resolved in version 3.11.7.