An active security flaw in the WordPress plugin Elementor Pro website builder is being exploited by unidentified threat actors.
Versions 3.11.6 and older are affected by the bug, which is characterized as a case of broken access control. The issue was fixed by the plugin maintainers in version 3.11.7, which was made available on March 22.
The Tel Aviv-based company’s release notes stated that “WooCommerce components have improved code security enforcement.” Almost 12 million sites are reportedly using the premium plugin.
An authenticated attacker can successfully take control of a WordPress site with WooCommerce enabled by using the high-severity flaw.
PlugIn Potentially Allow Hackers to Control Millions of Websites
“This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges,” Patchstack said in an alert of March 30, 2023.
“After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the websites.”
Jerome Bruandet, a security researcher for NinTechNet, is credited with finding and disclosing the vulnerability on March 18, 2023.
Patchstack added that a number of IP addresses are currently exploiting the weakness in the wild in order to upload arbitrary PHP and ZIP archive files.
To reduce potential risks, users of the Elementor Pro plugin are advised to update as soon as possible to either 3.11.7 or 3.12.0, which is the most recent version.
The warning was issued more than a year after it was discovered that the Essential Addons for Elementor plugin had a serious flaw that might allow arbitrary code to be executed on infected websites.
WordPress released automatic updates last week to fix yet another serious flaw in the WooCommerce Payments plugin that let unauthenticated attackers take control of affected websites.
To read our blog on “How To protect WordPress site from cyberattacks,” click here.