Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites.
Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.
This vulnerability was discovered by NinTechNet researcher Jerome Bruandet on March 18, 2023, who shared technical details this week about how the bug can be exploited when installed alongside WooCommerce.
The issue, which impacts v3.11.6 and all versions before it, allows authenticated users, like shop customers or site members, to change the site’s settings and even perform a complete site takeover.
The researcher explained that the flaw concerns a broken access control on the plugin’s WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), allowing anyone to modify WordPress options in the database without proper validation.
The flaw is exploited through a vulnerable AJAX action, “pro_woocommerce_update_page_option,” which suffers from poorly implemented input validation and a lack of capability checks.
“An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing siteurl among many other possibilities,” explained Bruandet in a technical writeup about the bug.
It is important to note that for the particular flaw to be exploited, the WooCommerce plugin must also be installed on the site, which activates the corresponding vulnerable module on Elementor Pro.
Elementor Plugin bug actively exploited
WordPress security firm PatchStack is now reporting that hackers are actively exploiting this Elementor Pro plugin vulnerability to redirect visitors to malicious domains (“away[.]trackersline[.]com”) or upload backdoors to the breached site.
PatchStack says the backdoor uploaded in these attacks are named wp-resortpark.zip, wp-rate.php, or lll.zip
While not many details were provided regarding these backdoors, BleepingComputer found a sample of the lll.zip archive, which contains a PHP script that allows a remote attacker to upload additional files to the compromised server.
This backdoor would allow the attacker to gain full access to the WordPress site, whether to steal data or install additional malicious code.
PatchStack says most of the attacks targeting vulnerable websites originate from the following three IP addresses, so it is suggested to add those to a blocklist:
If your site uses Elementor Pro, it is imperative to upgrade to version 3.11.7 or later (the latest available is 3.12.0) as soon as possible, as hackers are already targeting vulnerable websites.
Last week, WordPress force-updated the WooCommerce Payments plugin for online stores to address a critical vulnerability that allowed unauthenticated attackers to gain administrator access to vulnerable sites.