Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over 11 million websites. Elementor Pro is a content publisher page builder plugin that allows users to create professional looking websites even without programming knowledge.
The vulnerability was discovered by NinTechNet researcher Jerome Bruandet on March 18, who shared technical details this week on how the bug can be exploited when installed alongside the WooCommerce online store builder. The issue, which affects version 3.11.6 and all versions prior to it, allows authenticated users such as store customers or site members to change site settings and even perform a full site takeover.
The researcher explained that the flaw concerns a broken access control in the plugin’s WooCommerce module, which allows anyone to modify WordPress options in the database without proper validation.
The flaw is exploited through a vulnerable Ajax action, “pro_woocommerce_update_page_option”, which has poorly implemented input validation issue and lack of capability checks. “An attacker could leverage the vulnerability to create an administrator account by enabling logging and setting the default role to “administrator”, changing the administrator’s email address, or redirecting all traffic to an external malicious website by changing the siteurl among many other possibilities,” explained Bruandet in a white paper about the bug.
It is important to note that in order for the specific flaw to be exploited, the WooCommerce plugin must also be installed on the website, which activates the corresponding vulnerable module in Elementor Pro.
WordPress security firm PatchStack is now reporting that hackers are actively exploiting this Elementor Pro plugin vulnerability to redirect visitors to malicious domains or upload backdoors to the breached website.
PatchStack says that the backdoor loaded in these attacks is called wp-resortpark.zip, wp-rate.php or lll.zip. This backdoor allows the attacker to gain full access to the WordPress site, either to steal data or install additional malicious code.
Last week, WordPress updated the WooCommerce Payments plugin for online stores to address a critical vulnerability that allowed unauthenticated attackers to gain admin access to vulnerable websites.
Source: Cisoadvisor