Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites

A severe vulnerability in the Elementor Pro WordPress plugin is being exploited to inject malware into vulnerable websites.

A severe vulnerability in the Elementor Pro plugin is being exploited to hack WordPress websites, WordPress security company Patchstack warns.

Described as a broken access control issue, the flaw can be exploited on vulnerable websites with the WooCommerce plugin installed to change any WordPress setting. An attacker would need to be authenticated as a low-privileged user, such as subscriber or customer, to exploit the bug.

“This is done through an AJAX action of Elementor Pro that does not have proper privilege control in place,” Patchstack explains.

According to the security firm, the flaw allows an attacker to enable the registration page of a website and set the default user role to administrator.

The attacker can then create a new user account that has administrator privileges, which allows them to either redirect the site to a malicious domain, or inject malicious code, such as a plugin with a backdoor.

“From what we have seen so far, hackers who exploit this vulnerability either update the URL of the site to a malicious domain so visitors get redirected to this malicious domain, or the hackers upload a fake plugin which contains a backdoor. This backdoor may be activated and communicated with right away or at a future date,” Patchstack told SecurityWeek.

The company says it has observed malicious attacks targeting this vulnerability originating from multiple IP addresses, with attackers injecting malicious .zip and .php files.

The flaw, which has a CVSS score of 8.8, but no CVE identifier yet, was addressed on March 22, with the release of Elementor Pro version 3.11.7, which ‘improved code security enforcement in WooCommerce components’.

Advertisement. Scroll to continue reading.

Elementor Pro users are advised to update to a patched version of the plugin as soon as possible.

With over 5 million active installations, the Elementor plugin is a popular drag-and-drop website builder designed for creating websites without having to write code. The paid version of the plugin, Elementor Pro, provides additional features and tools for site building.

Elementor’s developers also run a bug bounty program on the Bugcrowd platform.

Related: Critical Vulnerability in Elementor Plugin Impacts Millions of WordPress Sites

Related: Critical WooCommerce Payments Vulnerability Leads to Site Takeover

Related: Vulnerability in Popular Real Estate Theme Exploited to Hack WordPress Websites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.