Beware! Hackers are Exploiting WordPress Elementor Pro Vulnerability
Hackers are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The vulnerability impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. This high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. The premium plugin is estimated to be used on over 12 million sites.
Beware! Your Site Could be at Risk as Hackers are Exploiting WordPress Elementor Pro Vulnerability
Check Also: BEWARE! Pokemon Card Game Is Just A Clever Trap By Hackers
NinTechNet security researcher Jerome Bruandet discovered and reported the vulnerability on March 18, 2023
The flaw is currently being abused in the wild by several IP addresses intending to upload arbitrary PHP and ZIP archive files. Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.
“This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to the administrator so they can create an account that instantly has the administrator privileges,” Patchstack said in an alert of March 30, 2023.
“After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site.”
The advisory comes over a year after the Elementor plugin was found to contain a critical vulnerability. That flaw executed the arbitrary code on compromised websites.
Last week, WordPress issued auto-updates to remediate another critical bug in the WooCommerce Payments plugin. It allowed unauthenticated attackers to gain administrator access to vulnerable sites.
See Also: TPM 2.0 Library Flaws Could Let Hackers Steal Sensitive Data
