A severe vulnerability in the Elementor Pro plugin is being exploited to hack WordPress websites, WordPress security company Patchstack warns. Described as a broken access control issue, the flaw can be exploited on vulnerable websites with the WooCommerce plugin installed to change any WordPress setting. An attacker would need to authenticate as a low-privileged user, such as subscriber or customer, to exploit the bug. According to Patchstack, the flaw allows an attacker to enable the registration page and set the default user role to administrator, creating a new account with administrator privileges. This would allow them to redirect the site to a malicious domain, or inject malicious code, such as a plugin with a backdoor.
The vulnerability, which has a CVSS score of 8.8, but no CVE identifier yet, was addressed on March 22, with the release of Elementor Pro version 3.11.7, which ‘improved code security enforcement in WooCommerce components’. Elementor Pro users are advised to update to a patched version of the plugin as soon as possible.
Elementor is a popular drag-and-drop website builder designed for creating websites without having to write code. The paid version of the plugin, Elementor Pro, provides additional features and tools for site building. Elementor’s developers also run a bug bounty program on the Bugcrowd platform.
In conclusion, a severe vulnerability in the Elementor Pro plugin is being exploited to hack WordPress websites. The flaw can be exploited to change any WordPress setting and set the default user role to administrator, creating a new account with administrator privileges. The vulnerability was addressed on March 22, with the release of Elementor Pro version 3.11.7, and Elementor Pro users are advised to update to a patched version of the plugin as soon as possible.
Key points:
• A vulnerability in the Elementor Pro plugin is being exploited to hack WordPress websites
• The flaw can be exploited on vulnerable websites with the WooCommerce plugin installed
• An attacker needs to authenticate as a low-privileged user to exploit the bug
• The flaw allows an attacker to enable the registration page and set the default user role to administrator
• The vulnerability was addressed on March 22 with the release of Elementor Pro version 3.11.7
• Elementor Pro users are advised to update to a patched version of the plugin as soon as possible