A high-severity flaw in the Elementor Pro WordPress plugin used by more than eleven million websites has been actively exploited by threat actors.
Elementor Pro is a premium plugin that is currently installed on over 11 million websites. It allows users to easily create WordPress websites.
Researchers reported the vulnerability on March 18th, that the issue impacts Elementor Pro when it is installed on a site that has WooCommerce activated.
The issue impacts version v3.11.6 and all versions before it, allowing authenticated users, like shop customers or site members, to change the site’s settings and can potentially lead to a complete site takeover.
The flaw is broken access control on the plugin’s WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), anyone can exploit the issue to change WordPress settings in the database.
The flaw is exploited through a vulnerable AJAX action, “pro_woocommerce_update_page_option,” which is used by Elementor’s built-in editor.
The issue stems from improper input validation and a lack of capability check to restrict its access to a high privileged user only.
Researchers are observing attacks from multiple IP addresses, most of them from the following IP addresses:
The experts are also seeing files being uploaded with the following file names:
The researchers reported that attackers changing site URL to away[dot]trackersline[dot]com.
It’s been urged that the administrators of WordPress sites using Elementor Pro to upgrade to version 3.11.7 or later 3.12.0.
This research was documented by researchers from PatchStack