Jump to content
  • Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs

    alf9872000

    • 468 views
    • 3 minutes
     Share


    • 468 views
    • 3 minutes

    Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites.

     

    Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.

     

    This vulnerability was discovered by NinTechNet researcher Jerome Bruandet on March 18, 2023, who shared technical details this week about how the bug can be exploited when installed alongside WooCommerce.

     

    The issue, which impacts v3.11.6 and all versions before it, allows authenticated users, like shop customers or site members, to change the site's settings and even perform a complete site takeover. 

     

    The researcher explained that the flaw concerns a broken access control on the plugin's WooCommerce module ("elementor-pro/modules/woocommerce/module.php"), allowing anyone to modify WordPress options in the database without proper validation.

     

    The flaw is exploited through a vulnerable AJAX action, "pro_woocommerce_update_page_option," which suffers from poorly implemented input validation and a lack of capability checks.

     

    "An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to "administrator," change the administrator email address or, redirect all traffic to an external malicious website by changing siteurl among many other possibilities," explained Bruandet in a technical writeup about the bug.

     

    redirection.jpg

    Creating a malicious redirection (blog.nintechnet.com)

     

    It is important to note that for the particular flaw to be exploited, the WooCommerce plugin must also be installed on the site, which activates the corresponding vulnerable module on Elementor Pro.

    Elementor Plugin bug actively exploited

    WordPress security firm PatchStack is now reporting that hackers are actively exploiting this Elementor Pro plugin vulnerability to redirect visitors to malicious domains ("away[.]trackersline[.]com") or upload backdoors to the breached site.

     

    PatchStack says the backdoor uploaded in these attacks are named wp-resortpark.zip, wp-rate.php, or lll.zip

     

    While not many details were provided regarding these backdoors, BleepingComputer found a sample of the lll.zip archive, which contains a PHP script that allows a remote attacker to upload additional files to the compromised server.

     

    This backdoor would allow the attacker to gain full access to the WordPress site, whether to steal data or install additional malicious code.

     

    PatchStack says most of the attacks targeting vulnerable websites originate from the following three IP addresses, so it is suggested to add those to a blocklist:

     

    • 193.169.194.63
    • 193.169.195.64
    • 194.135.30.6

     

    If your site uses Elementor Pro, it is imperative to upgrade to version 3.11.7 or later (the latest available is 3.12.0) as soon as possible, as hackers are already targeting vulnerable websites.

     

    Last week, WordPress force-updated the WooCommerce Payments plugin for online stores to address a critical vulnerability that allowed unauthenticated attackers to gain administrator access to vulnerable sites.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...