Actively exploited by unidentified cybercriminals, a recently patched security vulnerability is found within the WordPress Elementor Pro website builder plugin.
Affecting versions 3.11.6 and earlier, this broken access control flaw was resolved by the plugin developers in the 3.11.7 version, released on March 22. In the release notes, the Tel Aviv-based company mentioned, “Improved code security enforcement in WooCommerce components.” The premium plugin is believed to be in use on over 12 million websites.
Successful exploitation of this high-severity vulnerability enables an authenticated attacker to take full control of a WordPress site with WooCommerce enabled. Patchstack, in an alert dated March 30, 2023, stated, “This allows a malicious user to activate the registration page (if disabled) and set the default user role to administrator, enabling them to create an account with immediate administrator privileges.”
Once this occurs, the attacker is likely to either redirect the site to a malicious domain or upload a harmful plugin or backdoor for further exploitation.
NinTechNet security researcher Jerome Bruandet, who discovered and reported the vulnerability on March 18, 2023, is credited for the finding. Patchstack also observed that several IP addresses are currently exploiting the flaw in the wild, intending to upload arbitrary PHP and ZIP archive files.
To mitigate potential threats, Elementor Pro plugin users are advised to update their plugin to version 3.11.7 or the latest version, 3.12.0, as soon as possible.
This advisory follows a critical vulnerability found in the Essential Addons for Elementor plugin over a year ago, which could lead to arbitrary code execution on compromised websites. Additionally, last week, WordPress issued auto-updates to address a critical bug in the WooCommerce Payments plugin, allowing unauthenticated attackers to gain administrator access to vulnerable sites.