A high-severity vulnerability discovered by NinTechNet researcher Jerome Bruandet on March 18, 2023 in the widely used Elementor Pro WordPress plugin due to a flawed access control in the WooCommerce module utilised by over eleven million websites, is currently being exploited by hackers
Elementor Pro is a WordPress page builder plugin that facilitates the effortless creation of professional-looking websites, even for individuals who lack coding expertise.
The popular website builder plugin includes drag-and-drop functionality, theme building, a collection of templates, custom widget support, and a WooCommerce builder for online shops.
A vulnerability in version 3.11.6 and all preceding versions of the plugin enables authorised users, such as site members or shop customers, to modify site settings and execute a complete takeover of the site.
The researcher stated that the vulnerability is related to a flawed access control on the WooCommerce module (“elementor-pro/modules/woocommerce/module.php”) of the plugin. This flaw allows anyone to alter WordPress options in the database without undergoing proper validation.
The exploit of the vulnerability takes place through an insecure AJAX action called “pro_woocommerce_update_page_option.” This action suffers from inadequate input validation and a deficiency of capability checks.
In a technical writeup about the bug Bruandet says an authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing siteurl among many other possibilities.
It’s crucial to highlight that the exploitation of this specific vulnerability necessitates the installation of the WooCommerce plugin on the site, which triggers the corresponding vulnerable module on Elementor Pro.
PatchStack reports Elementor Plugin bug actively exploited
According to WordPress security firm PatchStack, hackers are currently exploiting the Elementor Pro plugin vulnerability by redirecting site visitors to malicious domains (“away[.]trackersline[.]com”) or uploading backdoors to the breached site.
The backdoors that are uploaded in these attacks have been named wp-resortpark.zip, wp-rate.php, or lll.zip.
This archive contains a PHP script that enables a remote attacker to upload additional files to the compromised server, thus providing them with complete access to the WordPress site. This access can be used to steal data or install further malicious code.
The exploitation of this vulnerability can also have catastrophic consequences for websites that utiliae the plugin, including the redirection of site visitors to malicious domains or the uploading of backdoors to the compromised website.
PatchStack has identified three IP addresses that most of the attacks targeting vulnerable websites originate from. Therefore, it is recommended to add these IP addresses to a blocklist.
- 193.169.194.63
- 193.169.195.64
- 194.135.30.6
If your WordPress website uses Elementor Pro, it is critical to update to version 3.11.7 or newer without delay, as hackers are actively targeting sites that are vulnerable.
In light of these developments, it is imperative that websites using the Elementor Pro WordPress plugin update to version 3.11.7 (the most current version is 3.12.0) as soon as possible. Failure to do so could leave them vulnerable to hackers who are actively targeting sites with this vulnerability.
As the threat of cyberattacks continues to rise, it is crucial for website owners to prioritize cybersecurity and ensure that all plugins and software are up-to-date with the latest security patches. Failure to do so could lead to a devastating data breach or loss of sensitive information.
This is not the first time that WordPress plugins have been targeted by hackers. Last week, WordPress had to perform a forced update of the WooCommerce Payments plugin, which is utilised by online stores
