Posted on March 31, 2023 at 9:20 AM
Millions of sites at risk as hackers exploit WordPress Elementor Pro vulnerability
Online criminals have once again found a vulnerability that might result in millions of websites being at risk. This time, unknown threat actors have started exploiting a security vulnerability in the Elementor Pro website builder plugin commonly used with WordPress. The flaw was recently patched, but after studying it, security experts have described it as a case of broken access control.
So far, it has been revealed that the flaw impacts versions 3.11.6 and earlier. Meanwhile, version 3.11.7 has addressed it. This is the version that was released a little over a week ago, on March 22nd, and it is highly recommended that everyone updates their plugin to this newest version.
Millions of websites are in danger
The Tel Aviv-based firm stated in its release notes that the had improved the code security enforcement in WooCommerce components. The problem is that the premium plugin is supposedly used by more than 12 million websites, which means that hackers have had plenty of slow targets to choose from.
In cases where they were successful at exploiting the high-severity flaw, hackers were able to complete a takeover of targeted websites that had WooCommerce enabled on their platforms.
Patchstack raised an alert regarding the issue on March 30th, stating that the situation makes it possible for malicious users to turn on the registration page, assuming that it was disabled to begin with. After doing so, they could also set the default user role to an administrator. This allowed them to create an account that would have all administrator privileges instantly.
With the administrator account in the hands of online criminals, they would likely try to redirect the website to another, likely malicious domain, or they would bring malware to the website itself, by way of malicious plugins, backdoors, and similar methods. Both of these approaches would allow them to further exploit the websites, as well as their unsuspecting visitors.
How was the vulnerability discovered?
According to a report published by NinTechNet, the flaw was discovered by a security researcher called Jerome Bruandet. Bruandet reported discovering the flaw on March 18th, and he immediately reported it to the plugin’s team.
Patchstack also noted that the flaw was also identified by the hackers, who have started abusing it in the wild. So far, security researchers have managed to identify multiple IP addresses that were trying to upload arbitrary PHP and ZIP archive files.
Fortunately, the flaw has already been patched, as mentioned earlier. However, in order for the websites to be truly secure from any attempts to breach them, users of the Elementor Pro plugin will have to update their plugins to the new version. At the moment, there are only two versions available that have the issue resolved. The first one is the previously mentioned version 3.11.7, while the only other safe alternative is version 3.12.0.
This is actually the latest version of the plugin, which was released after the patch, and it also contains the patch. Once again, users are recommended to update their plugins as soon as possible, as not doing so only gives hackers more time to identify their website, breach it, and infect it with malware or use it to direct visitors towards malicious websites.
WordPress plugins’ security woes
Interestingly, this is not the first time that Elementor was found to have a critical vulnerability. More than a year earlier, the Essential Addons for Elementor Plugin was also found to have a critical flaw that put users at risk. This time around, the flaw could result in the execution of arbitrary code on websites that contained the plugin.
Another thing worth noting is that WordPress itself issued an auto-update to remediate another critical bug, which was also found in the WooCommerce payments plugin. This one allowed unauthenticated hackers to gain administrator roles as well, with rather similar consequences for those who succeeded in doing it.