Contents:
Threat actors are actively exploiting a high-severity vulnerability discovered in the popular plugin Elementor Pro.
Elementor Pro is a WordPress page builder plugin with multiple functions that helps users to build professional-looking websites easily, without the need to know how to code. The plugin features drag-and-drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops. The plugin is estimated to be used on over 11 million sites.
Details About the Vulnerability
The flaw, which affects v3.11.6 and all versions prior to it, enables authenticated users, such as site members or consumers of online stores, to alter the settings of the website and potentially take entire control of it.
Security researcher Jerome Bruandet, the one who discovered the vulnerability, explained that the flaw concerns a broken access control on the plugin’s WooCommerce module (“elementor-pro/modules/woocommerce/module.php”), permitting database changes to WordPress settings without proper validation.
The vulnerability is taken advantage of by a weak AJAX action called “pro_woocommerce_update_page_option,” which has weak input validation and no capability checks.
An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing siteurl among many other possibilities.
Jerome Bruandet (Source)
For the flaw to be exploited, the WooCommerce plugin must also be installed on the site, which activated the vulnerable module on Elementor Pro.
Security researchers report that threat actors are actively exploiting the vulnerability to redirect visitors to malicious domains or to upload backdoors to the breached site.
The backdoors used in this type of attack are named wp-resortpack.zip, wp-rate.php, or lll.zip. A sample of the lll.zip bundle was discovered by BleepingComputer, and it contained a PHP script that enables a remote attacker to upload other files to the compromised server, despite the fact that not many specifics about these backdoors were provided.
The attacker would have complete access to the WordPress website through this backdoor, allowing them to steal data or introduce new malicious code.
The following three IP addresses are where the majority of attacks against vulnerable websites come from, hence it is advised to add them to a blocklist:
- 169.194.63
- 169.195.64
- 135.30.6
If your website uses Elementor Pro, it is advised to upgrade to version 3.11.7 or later as soon as possible, to avoid falling victim to the threat actors actively targeting vulnerable websites.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.