HQ/EMEAFind out how we can help your business
Security experts found a critical flaw in a WordPress plugin called ‘Elementor Pro,’ which malicious actors abuse to hack into WordPress-powered websites. The flaw, defined as a broken access control issue, can be abused by attackers against any site with an installed WooCommerce plugin and change any setting.
WordPress Elementor is one the most popular plugins, with more than 5 million active installations among all website owners worldwide. Elementor is a drag-and-drop free website builder that allows users to establish their websites without writing code.
Moreover, users are given a wider scope of features upon subscribing to its paid version, Elementor Pro, to help create more professional websites.
The threat actors abuse the WordPress plugin flaw to gain admin privileges.
It is important to note that a threat actor must be authorised as a low-privileged user to abuse the vulnerability. The process will be completed through Elementor Pro’s AJAX action.
Upon exploitation of the WordPress plugin flaw, the threat actor can enable a website’s registration page and set their default user role and access to an administrator level. After gaining admin privileges, the attacker can perform malicious activities, such as redirecting the website to an attacker-controlled domain or injecting backdoor malware.
The researchers added that during the exploitation of this vulnerability, the attackers either update a website’s URL to a malicious one for visitors to be redirected to the attacker-controlled domain or upload a malware-infected plugin to the compromised websites.
From a deeper analysis of the malware-infected plugins on a compromised website, the attackers could activate it immediately or at some other time in the future. The experts have observed cybercriminals from numerous IP addresses abusing this WordPress plugin flaw, injecting malicious ZIP and PHP files into vulnerable WordPress websites.
The vulnerability has yet to be given a CVE identifier, but it has a CVSS score of 8.8, indicating its criticality in the cybercriminal scene. After being addressed on March 22, WordPress’ Elementor Pro plugin has been patched with version 3.11.7, which is described to have improved code security enforcement in WooCommerce components.
Thus, all users of the Elementor Pro plugin are strongly advised to update to the latest patch as soon as possible to be protected against cyber threats.
