Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites.

Elementor Pro is a WordPress page builder plugin allowing users to easily create professional looking sites without knowing how to code, with drag and drop, theme creation, template collection, custom widget support and WooCommerce builder for them. online shops.

This vulnerability was discovered by NinTechNet researcher Jérôme Bruandet on March 18, 2023, who this week shared technical details on how the bug can be exploited when installed alongside WooCommerce.

The issue, which affects v3.11.6 and all previous versions, allows authenticated users, such as shop customers or site members, to change site settings and even perform a full site takeover .

The researcher explained that the flaw relates to a broken access control on the plugin’s WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), allowing anyone to modify WordPress options in the database without appropriate validation.

The flaw is exploited through a vulnerable AJAX action, “pro_woocommerce_update_page_option”, which suffers from poorly implemented input validation and a lack of capability checking.

“An authenticated attacker can leverage the vulnerability to create an administrator account by enabling logging and setting the default role to ‘administrator’, changing the administrator’s email address, or redirecting all traffic to an external malicious website by modifying siteurl among many other possibilities,” explains Bruandet in a technical writing about the bug.

It is important to note that for the particular flaw to be exploited, the WooCommerce plugin must also be installed on the site, which activates the corresponding vulnerable module on Elementor Pro.

Actively Exploited Elementor Plugin Bug

WordPress Security Company PatchStack now reports that hackers are actively exploiting this Elementor Pro plugin vulnerability to redirect visitors to malicious domains (“away[.]trackersline[.]com”) or download backdoors from the hacked site.

PatchStack indicates that the backdoor downloaded in these attacks is named wp-resortpark.zip, wp-rate.php or lll.zip

Although few details were provided regarding these backdoors, BleepingComputer found a sample of the lll.zip archive, which contains a PHP script allowing a remote attacker to upload additional files to the compromised server.

This backdoor would allow the attacker to gain full access to the WordPress site, either to steal data or install additional malicious code.

PatchStack indicates that most attacks targeting vulnerable websites come from the following three IP addresses, so it is suggested to add them to a blocklist:

• 193.169.194.63
• 193.169.195.64
• 194.135.30.6

If your site uses Elementor Pro, it is imperative to upgrade to version 3.11.7 or later (the latest available is 3.12.0) as soon as possible, because hackers are already targeting vulnerable websites.

Last week, WordPress WooCommerce Payments plugin forced update for online stores to address a critical vulnerability that allowed unauthenticated attackers to gain administrator access to vulnerable sites.