Front page layout
Site theme
Dan Goodin - Mar 31, 2023 10:40 pm UTC
Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.
The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.
The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:
An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:
Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:
Files uploaded to compromised sites often have the following names:
URLs of compromised sites are often being changed to:
The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component. When WooCommerce is running, this script registers the following AJAX actions:
and
The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained. He continued:
Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :
Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable. It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up →
CNMN Collection
WIRED Media Group
© 2023 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices

source