A critical vulnerability in the Elementor Pro plugin used by millions of WordPress websites has been discovered by cybersecurity expert Jerome Bruandet. The flaw allows any authenticated user, such as subscriber or customer user roles, to update any WordPress setting on the site through an AJAX action that does not have proper privilege control in place. The bug can be exploited when the plugin is used in conjunction with the WooCommerce online store-building tool, allowing them to exploit the site further, redirect it to a fraudulent domain, and upload malicious plugins or backdoors.
Security firm PatchStack has reported that hackers are actively exploiting this bug in Elementor Pro to redirect visitors to dangerous sites and upload backdoors to the breached website. The backdoors uploaded in these attacks are named wp-resortpark.zip, wp-rate.php, or lll.zip. A sample of the lll.zip archive contains a PHP script that enables remote attackers to upload additional files to the compromised server, giving them full access to the WordPress site. Attackers can use this backdoor to steal data or install additional malicious codes.
Hackers have been using the WooCommerce plugin to activate the vulnerable module on Elementor Pro. Once the bug is activated, attackers can use a variety of methods to exploit the site, including uploading backdoors and stealing sensitive data. PatchStack has identified several backdoors that have been uploaded during these attacks, including wp-resortpark.zip, wp-rate.php, and lll.zip, while site URLs are being changed to away[dot]trackersline[dot]com. The exploitation of the vulnerability is underway, with most attacks coming from IP addresses 193.169.194.63, 193.169.195.64, and 194.135.30.6.
The vulnerability occurs due to broken access control in the WooCommerce module of the plugin, which allows any user to alter WordPress options in the database without proper validation. The bug is exploited through an AJAX action called “pro_woocommerce_update_page_option” which has weakly implemented input validation and is unable to conduct capability checks. The flaw affects versions 3.11.6 and earlier of Elementor Pro, with the update to version 3.11.7 being released on March 22, 2023.
Despite the patch being available for several weeks, many WordPress sites continue to run outdated versions of the Elementor Pro plugin. Attackers have been quick to exploit this vulnerability, and numerous attacks have been reported in recent weeks.
Elementor Pro has released a patch for the vulnerability in version 3.11.7 of its plugin, and it is recommended that site administrators upgrade their pages immediately.
The lll.zip archive contains a PHP script that allows remote attackers to upload additional files to the compromised server. Hackers can use this backdoor to gain full access to the WordPress site and install additional malicious code. This allows attackers to steal sensitive data, compromise the site’s functionality, and cause other types of damage.
WordPress site owners are urged to update their Elementor Pro plugin to version 3.1.4 or later to mitigate the risk of attack. Site owners should also ensure that all plugins and themes are kept up to date, as outdated software can provide an easy target for hackers. Regular site backups are also recommended, as they can help to restore the site in the event of a successful attack. By taking these steps, WordPress site owners can help to protect their sites from this and other types of attacks.
