Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin

Threat
actors
are
actively
exploiting
a
high-severity
flaw
in
the
Elementor
Pro
WordPress
plugin
used
by
more
than
eleven
million
websites

WordPress
security
firm PatchStack warns
of
a
high-severity
vulnerability
in
the
Elementor
Pro
WordPress
plugin
that
is
currently
being
exploited
by
threat
actors
in
the
wild.

Elementor
Pro is
a
paid
plugin
that
is
currently
installed
on
over
11
million
websites,
it
allows
users
to
easily
create
WordPress
websites.

This
vulnerability
was
reported
on
March
18
by
security
researcher
Jerome
Bruandet
from
NinTechNet.

The
expert
reported
that
the
issue
impacts
Elementor
Pro
when
it
is
installed
on
a
site
that
has
WooCommerce
activated.

The
issue
impacts
version
v3.11.6
and
all
versions
before
it,
allowing
authenticated
users,
like
shop
customers
or
site
members,
to
change
the
site’s
settings
and
can
potentially
lead
to
a
complete
site
takeover. 

“Elementor
Pro,
a
popular
page
builder
plugin
for
WordPress,
fixed
a
broken
access
control
vulnerability
affecting
versions
<=3.11.6
that
could
allow
full
site
takeover.”
reads
the


advisory
published
by
Bruanded.

The
flaw
is
broken
access
control
on
the
plugin’s
WooCommerce
module
(“elementor-pro/modules/woocommerce/module.php”),
anyone
can
exploit
the
issue
to
change
WordPress
settings
in
the
database.
The
flaw
is
exploited
through
a
vulnerable
AJAX
action,
“pro_woocommerce_update_page_option,”
which
is
used
by
Elementor’s
built-in
editor.

The
issue
stems
from
improper
input
validation
and
a
lack
of
capability
check
to
restrict
its
access
to
a
high
privileged
user
only.

“An
authenticated
attacker
can
leverage
the
vulnerability
to
create
an
administrator
account
by
enabling
registration
and
setting
the
default
role
to
“administrator,”
change
the
administrator
email
address
or,
redirect
all
traffic
to
an
external
malicious
website
by
changing
siteurl
among
many
other
possibilities,”

wrote
Bruandet.

Elementor
Plugin
bug
actively
exploited

PatchStack
researchers
are
observing
attacks
from
multiple
IP
addresses,
most
of
them
from
the
following
IP
addresses:

• 193.169.194.63
• 193.169.195.64
• 194.135.30.6

The
experts
are
also
seeing
files
being
uploaded
with
the
following
file
names:

• wp-resortpack.zip
• wp-rate.php
• lll.zip

The
researchers
also
reported
that
the
attackers
are
changing
site
URL
to
away[dot]trackersline[dot]com.

Researchers
urge
administrators
of
WordPress
sites
using
Elementor
Pro,
to
upgrade
to
version
3.11.7
or
later
(the
latest
available
is
3.12.0)
immediately.

Please
vote
for
Security
Affairs
(https://securityaffairs.com/)
as
the
best
European
Cybersecurity
Blogger
Awards
2022
–
VOTE
FOR
YOUR
WINNERS

Vote
for
me
in
the
sections:

• The
  Teacher
  –
  Most
  Educational
  Blog
• The
  Entertainer
  –
  Most
  Entertaining
  Blog
• The
  Tech
  Whizz
  –
  Best
  Technical
  Blog
• Best
  Social
  Media
  Account
  to
  Follow
  (@securityaffairs)

You
can
nominate
yourself
or
your
favourite
blogger.
We
ask
that
you
provide
a
brief
paragraph
of 250
words explaining
why
they
should
win.

Nominate
here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
WordPress
plugin)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts