An active security flaw in the WordPress plugin Elementor Pro website builder is being exploited by unidentified threat actors. Versions 3.11.6 and older are affected by the bug, which is characterized as a case of failed access control. The issue was fixed by the plugin maintainers in version 3.11.7, which was made available on March 22.
The Tel Aviv-based company’s release notes said that “WooCommerce components have improved code security enforcement.” Almost 12 million sites are reportedly using the premium plugin. An authorized attacker can successfully take control of a WordPress site with WooCommerce enabled by using the high-severity flaw.
In a warning dated March 30, 2023, Patchstack stated that “this makes it feasible for a malicious user to switch on the registration page (if deactivated) and set the default user role to administrator so they may establish an account that instantly gets the administrator rights.” “Thereafter, they are likely to upload a malicious plugin or backdoor to further attack the site, or they will reroute the site to another malicious website.”
Jerome Bruandet, a security researcher with NinTechNet, is credited with finding and disclosing the vulnerability on March 18, 2023. Patchstack said that a number of IP addresses are presently exploiting the weakness in the wild in order to upload arbitrary PHP and ZIP archive files. Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.
The warning was issued more than a year after it was discovered that the Essential Addons for Elementor plugin had a serious flaw that might allow arbitrary code to be executed on infected websites. WordPress released automatic updates last week to fix yet another serious flaw in the WooCommerce Payments plugin that let unauthenticated attackers take control of affected websites.
Leave a Reply