Pierluigi Paganini March 31, 2023

Threat actors are actively exploiting a high-severity flaw in the Elementor Pro WordPress plugin used by more than eleven million websites

WordPress security firm PatchStack warns of a high-severity vulnerability in the Elementor Pro WordPress plugin that is currently being exploited by threat actors in the wild.

Elementor Pro is a paid plugin that is currently installed on over 11 million websites, it allows users to easily create WordPress websites.

This vulnerability was reported on March 18 by security researcher Jerome Bruandet from NinTechNet.

The expert reported that the issue impacts Elementor Pro when it is installed on a site that has WooCommerce activated.

The issue impacts version v3.11.6 and all versions before it, allowing authenticated users, like shop customers or site members, to change the site’s settings and can potentially lead to a complete site takeover. 

“Elementor Pro, a popular page builder plugin for WordPress, fixed a broken access control vulnerability affecting versions <=3.11.6 that could allow full site takeover.” reads the advisory published by Bruanded.

The flaw is broken access control on the plugin’s WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), anyone can exploit the issue to change WordPress settings in the database. The flaw is exploited through a vulnerable AJAX action, “pro_woocommerce_update_page_option,” which is used by Elementor’s built-in editor.

The issue stems from improper input validation and a lack of capability check to restrict its access to a high privileged user only.

“An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing siteurl among many other possibilities,” wrote Bruandet.

Elementor Plugin bug actively exploited

PatchStack researchers are observing attacks from multiple IP addresses, most of them from the following IP addresses:

• 193.169.194.63
• 193.169.195.64
• 194.135.30.6

The experts are also seeing files being uploaded with the following file names:

• wp-resortpack.zip
• wp-rate.php
• lll.zip

The researchers also reported that the attackers are changing site URL to away[dot]trackersline[dot]com.

Researchers urge administrators of WordPress sites using Elementor Pro, to upgrade to version 3.11.7 or later (the latest available is 3.12.0) immediately.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

You can nominate yourself or your favourite blogger. We ask that you provide a brief paragraph of 250 words explaining why they should win.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress plugin)