Apr 01, 2023Ravie Lakshmanan
Unknown threat actors are actively exploiting a recently patched
security vulnerability in the Elementor Pro website builder plugin
for WordPress.
The flaw, described as a case of broken access control, impacts
versions 3.11.6 and earlier. It was addressed by the plugin
maintainers in version 3.11.7 released on March 22.
“Improved code security enforcement in WooCommerce components,”
the Elementor said[1]
in its release notes. The premium plugin is estimated[2] to be used on over 12
million sites.
Successful exploitation of the high-severity flaw allows an
authenticated attacker to complete a takeover of a WordPress site
that has WooCommerce enabled.
“This makes it possible for a malicious user to turn on the
registration page (if disabled) and set the default user role to
administrator so they can create an account that instantly has the
administrator privileges,” Patchstack said[3]
in an alert of March 30, 2023.
“After this, they are likely to either redirect the site to
another malicious domain or upload a malicious plugin or backdoor
to further exploit the site.”
Credited with discovering and reporting the
vulnerability[4]
on March 18, 2023, is NinTechNet security researcher Jerome
Bruandet.
Patchstack further noted that the flaw is currently being abused
in the wild from several IP addresses intending to upload arbitrary
PHP and ZIP archive files.
Users of the Elementor Pro plugin are recommended to update to
3.11.7 or 3.12.0, which is the latest version, as soon as possible
to mitigate potential threats.
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the
6-Phase process with Asaf Perlman, Cynet’s IR Leader!
Don’t Miss Out –
Save Your Seat![5]
The advisory comes over a year after the Essential Addons for Elementor
plugin[6] was found to contain a
critical vulnerability that could result in the execution of
arbitrary code on compromised websites.
Last week, WordPress issued auto-updates to remediate another
critical bug in the WooCommerce Payments plugin[7] that allowed
unauthenticated attackers to gain administrator access to
vulnerable sites.
Found this article interesting? Follow us on Twitter [8]
and LinkedIn[9]
to read more exclusive content we post.
References
- ^
said
(elementor.com) - ^
estimated
(elementor.com) - ^
said
(patchstack.com) - ^
discovering and reporting the
vulnerability (blog.nintechnet.com) - ^
Don’t Miss Out – Save Your Seat!
(thn.news) - ^
Essential Addons for Elementor
plugin (thehackernews.com) - ^
WooCommerce Payments plugin
(thehackernews.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/04/hackers-exploiting-wordpress-elementor.html
Latest News
- VIDEO.I.NG = 2 Live Crew – Banned In The U.S.A .This song, suddenly feeling very relevant. October 27, 2025
- America: Country in the Mirror – Talking About The Americans in the Mirror . We are what we eat indeed and Certainly What or Who we VOTE For ! October 27, 2025
- Michael Jackson, Olodum and the Yoruba Connection ! October 27, 2025
