Unknown threat actors are actively taking advantage of a recently fixed security vulnerability in the Elementor Pro website builder plugin for WordPress. This flaw, known as a broken access control, affects versions 3.11.6 and earlier, and was fixed by plugin maintainers with version 3.11.7 on March 22, 2023.
The Elementor Pro plugin, estimated to be used on over 12 million sites, includes improved code security enforcement in WooCommerce components, according to the Tel Aviv-based company’s release notes. The high-severity flaw allows authenticated attackers to take over a WordPress site with WooCommerce enabled.
Patchstack warned that successful exploitation of the vulnerability lets a malicious user turn on the registration page, set the default user role to administrator, and create an account with administrator privileges. Following this, the attacker may either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site. Several IP addresses are presently abusing the flaw by uploading arbitrary PHP and ZIP archive files.
Vulnerabilities can be discovered at any time, highlighting the importance of staying vigilant.
Jerome Bruandet, a NinTechNet security researcher, found and reported the vulnerability on March 18, 2023. To mitigate potential risks, users of the Elementor Pro plugin are encouraged to update to the latest versions 3.11.7 or 3.12.0.
It’s worth noting that this alert comes over a year after a critical vulnerability was discovered in the Essential Addons for Elementor plugin that could result in the execution of arbitrary code on compromised websites.
Last week, WordPress released auto-updates to address another critical vulnerability in the WooCommerce Payments plugin that allowed unauthenticated attackers to obtain administrator access to vulnerable sites. It’s crucial to stay on top of security patches and updates to ensure that your website is as secure as possible.
To protect your website from the recently patched vulnerability in the Elementor Pro plugin for WordPress, Kha Creation recommends update to the latest version (3.12.0) as soon as possible and regularly check and install software updates. It is also crucial to implement additional security measures such as strong passwords, two-factor authentication, and regular backups to maintain website security.