Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites – SecurityWeek

Hi, what are you looking for?
A severe vulnerability in the Elementor Pro WordPress plugin is being exploited to inject malware into vulnerable websites.

A severe vulnerability in the Elementor Pro plugin is being exploited to hack WordPress websites, WordPress security company Patchstack warns.
Described as a broken access control issue, the flaw can be exploited on vulnerable websites with the WooCommerce plugin installed to change any WordPress setting. An attacker would need to be authenticated as a low-privileged user, such as subscriber or customer, to exploit the bug.
“This is done through an AJAX action of Elementor Pro that does not have proper privilege control in place,” Patchstack explains.
According to the security firm, the flaw allows an attacker to enable the registration page of a website and set the default user role to administrator.
The attacker can then create a new user account that has administrator privileges, which allows them to either redirect the site to a malicious domain, or inject malicious code, such as a plugin with a backdoor.
“From what we have seen so far, hackers who exploit this vulnerability either update the URL of the site to a malicious domain so visitors get redirected to this malicious domain, or the hackers upload a fake plugin which contains a backdoor. This backdoor may be activated and communicated with right away or at a future date,” Patchstack told SecurityWeek.
The company says it has observed malicious attacks targeting this vulnerability originating from multiple IP addresses, with attackers injecting malicious .zip and .php files.

Advertisement. Scroll to continue reading.

The flaw, which has a CVSS score of 8.8, but no CVE identifier yet, was addressed on March 22, with the release of Elementor Pro version 3.11.7, which ‘improved code security enforcement in WooCommerce components’.
Elementor Pro users are advised to update to a patched version of the plugin as soon as possible.
With over 5 million active installations, the Elementor plugin is a popular drag-and-drop website builder designed for creating websites without having to write code. The paid version of the plugin, Elementor Pro, provides additional features and tools for site building.
Elementor’s developers also run a bug bounty program on the Bugcrowd platform.
Related: Critical Vulnerability in Elementor Plugin Impacts Millions of WordPress Sites
Related: Critical WooCommerce Payments Vulnerability Leads to Site Takeover
Related: Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites

Ionut Arghire is an international correspondent for SecurityWeek.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.
Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.
Sharing threat information and cooperating with other threat intelligence groups helps to strengthen customer safeguards and boosts the effectiveness of the cybersecurity sector overall.
Securing APIs is a noble, though complex journey. Security teams can leverage these 10 steps to help secure their APIs.
While silos pose significant dangers to an enterprise’s cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency, incident response capabilities, and risk management.
The need for cyber resilience arises from the growing realization that traditional security measures are no longer enough to protect systems, data, and the network from compromise.
Signing code is very important to defend against supply chain attacks, but it’s also one of the most cumbersome to implement for internal development.
Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher…
The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.
OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an…
A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the…
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be…
The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car…
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.


Post Your Comment