A high-severity vulnerability in the Elementor Pro WordPress plugin is being actively exploited by threat actors, according to WordPress security firm PatchStack. The paid plugin is currently installed on over 11 million websites and is used to create WordPress sites.
The vulnerability was reported on March 18 by security researcher Jerome Bruandet from NinTechNet. The flaw impacts version v3.11.6 and all versions before it, allowing authenticated users to change the site’s settings and potentially lead to a complete site takeover when Elementor Pro is installed on a site that has WooCommerce activated.
The flaw is a broken access control on the plugin’s WooCommerce module, “elementor-pro/modules/woocommerce/module.php.”
Anyone can exploit the issue to change WordPress settings in the database. The flaw is exploited through a vulnerable AJAX action, “pro_woocommerce_update_page_option,” which is used by Elementor’s built-in editor. The issue stems from improper input validation and a lack of capability check to restrict its access to a high privileged user only.
PatchStack researchers are observing attacks from multiple IP addresses, with most of them coming from IP addresses 193.169.194.63, 193.169.195.64, and 194.135.30.6. The researchers also reported that the attackers are changing site URLs to away[dot]trackersline[dot]com. The experts are also seeing files being uploaded with the following file names: wp-resortpack.zip, wp-rate.php, and lll.zip.
The researchers urge administrators of WordPress sites using Elementor Pro to upgrade to version 3.11.7 or later immediately. It is important for website administrators to take swift action to update their plugins to protect their sites from attacks that exploit vulnerabilities such as the one identified in the Elementor Pro WordPress plugin.
Failure to take these actions can lead to the takeover of the website, the modification of site content, and the theft of sensitive information.
