Individuals whose identities are not yet known are deliberately taking advantage of a security vulnerability that has recently been fixed in the Elementor Pro plugin for building websites on the WordPress platform.
The issue, which is known as a problem with access control, affects versions of the software up to 3.11.6. The people in charge of the plugin fixed this flaw in version 3.11.7, which came out on March 22nd.
Elementor announced in its release notes that the security of the code in WooCommerce components has been enhanced. This premium plugin is utilized on more than 12 million websites.
If one can successfully exploit the flaw of high intensity, then they can take over a WordPress site that has WooCommerce enabled. This attacker needs to be authenticated.
Patchstack issued an alert on March 30, 2023 stating that a malicious user can activate the registration page even if it is disabled, and then designate themselves as an administrator by default. This enables them to swiftly generate an account with administrative privileges.
Subsequently, they may either reroute the website to a different harmful domain or upload a malicious add-on or entrance to continue and intensify the exploitation of the website.
Jerome Bruandet, a security researcher at NinTechNet, is recognized as the person who found and disclosed the vulnerability on March 18th, 2023.
Patchstack also mentioned that the weakness is currently being exploited by multiple IP addresses out in the open, aiming to upload PHP and ZIP archive files without any specific pattern.
It is advised that individuals using the Elementor Pro plugin should promptly update to either 3.11.7 or 3.12.0, as these are the most recent versions available, in order to reduce the possibility of encountering any potential hazards.
The warning was issued more than a year after the discovery of a severe vulnerability in the Essential Addons for Elementor plugin, which could potentially allow hackers to run their code on affected websites.
The previous week, WordPress released automatic updates to fix a serious flaw in the WooCommerce Payments plugin that permitted unauthorized attackers to obtain administrator privileges on susceptible websites.