Actively exploited by unidentified cybercriminals, a recently patched security vulnerability is found within the WordPress Elementor Pro website builder plugin.
Affecting versions 3.11.6 and earlier, this broken access control flaw was resolved by the plugin developers in the 3.11.7 version, released on March 22. In the release notes, the Tel Aviv-based company mentioned, “Improved code security enforcement in WooCommerce components.” The premium plugin is believed to be in use on over 12 million websites.
Successful exploitation of this high-severity vulnerability enables an authenticated attacker to take full control of a WordPress site with WooCommerce enabled. Patchstack, in an alert dated March 30, 2023, stated, “This allows a malicious user to activate the registration page (if disabled) and set the default user role to administrator, enabling them to create an account with immediate administrator privileges.”
Once this occurs, the attacker is likely to either redirect the site to a malicious domain or upload a harmful plugin or backdoor for further exploitation.
NinTechNet security researcher Jerome Bruandet, who discovered and reported the vulnerability on March 18, 2023, is credited for the finding. Patchstack also observed that several IP addresses are currently exploiting the flaw in the wild, intending to upload arbitrary PHP and ZIP archive files.
To mitigate potential threats, Elementor Pro plugin users are advised to update their plugin to version 3.11.7 or the latest version, 3.12.0, as soon as possible.
This advisory follows a critical vulnerability found in the Essential Addons for Elementor plugin over a year ago, which could lead to arbitrary code execution on compromised websites. Additionally, last week, WordPress issued auto-updates to address a critical bug in the WooCommerce Payments plugin, allowing unauthenticated attackers to gain administrator access to vulnerable sites.
Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.
The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.
“Improved code security enforcement in WooCommerce components,” the Tel Aviv-based company said in its release notes. The premium plugin is estimated to be used on over 12 million sites.
Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled.
“This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges,” Patchstack said in an alert of March 30, 2023.
“After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site.”
Elementor Plugin bug actively exploited
WordPress security firm PatchStack is now reporting that hackers are actively exploiting this Elementor Pro plugin vulnerability to redirect visitors to malicious domains (“away[.]trackersline[.]com”) or upload backdoors to the breached site.
PatchStack says the backdoor uploaded in these attacks are named wp-resortpark.zip, wp-rate.php, or lll.zip
While not many details were provided regarding these backdoors, BleepingComputer found a sample of the lll.zip archive, which contains a PHP script that allows a remote attacker to upload additional files to the compromised server.
This backdoor would allow the attacker to gain full access to the WordPress site, whether to steal data or install additional malicious code.
PatchStack says most of the attacks targeting vulnerable websites originate from the following three IP addresses, so it is suggested to add those to a blocklist:
- 193.169.194.63
- 193.169.195.64
- 194.135.30.6
If your site uses Elementor Pro, it is imperative to upgrade to version 3.11.7 or later (the latest available is 3.12.0) as soon as possible, as hackers are already targeting vulnerable websites.
BR,
Hazem Mohamed
References :
https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-elementor-pro-wordpress-plugin-with-11m-installs/
https://thehackernews.com/2023/04/hackers-exploiting-wordpress-elementor.html?m=1
