Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro plugin for WordPress, which is used by over eleven million websites.
Elementor Pro is a WordPress page builder plugin that allows users to create professional-looking websites without any coding knowledge, offering features like drag and drop, theme building, a collection of templates, support for custom widgets, and a WooCommerce builder for online stores.
This vulnerability was discovered by researcher Jerome Bruandet from NinTechNet on March 18, 2023, who shared technical details this week on how the bug can be exploited when installed alongside WooCommerce.
The issue, affecting version 3.11.6 and all previous versions, allows authenticated users, such as online store customers or site members, to modify the site settings and even take complete control over the site.
The researcher explained that the problem is related to a flawed access control in the plugin’s WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), allowing anyone to modify WordPress options in the database without proper validation.
The issue is exploited through a vulnerable AJAX action, “pro_woocommerce_update_page_option,” which suffers from poorly implemented input validation and lack of capability checks.
“An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to ‘administrator,’ change the email address of the administrator, or redirect all traffic to a malicious external website by changing the site URL, among many other possibilities,” Bruandet explained in a technical description of the bug.
It is important to note that to exploit this particular issue, the WooCommerce plugin must also be installed on the site, which activates the corresponding vulnerable module in Elementor Pro.
The Elementor plugin is vulnerable and actively exploited.
WordPress security firm PatchStack now reports that hackers are actively exploiting this vulnerability in the Elementor Pro plugin to redirect visitors to malicious domains (“away[.]trackersline[.]com”) or to load backdoors on compromised sites.
PatchStack says that the backdoor loaded in these attacks is named wp-resortpark.zip, wp-rate.php, or lll.zip. While not many details have been provided about these backdoors, BleepingComputer found a sample.
PatchStack warns that most attacks targeting vulnerable sites originate from the following three IP addresses, so it is suggested to add them to a blocklist:
If your website is using Elementor Pro, it is imperative to upgrade to version 3.11.7 or newer (the latest available is 3.12.0) as soon as possible, as hackers are already directing their attacks towards vulnerable sites.
Last week, WordPress forced the update of the WooCommerce Payments plugin for online stores to fix a critical vulnerability that allowed unauthenticated attackers to gain administrator access to vulnerable sites.