This top WordPress plugin had a security flaw that could let hackers hijack your site
Users could elevate privileges and get WordPress admin status
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
One of the most popularwebsite builderplugins forWordPresscarries a high-severity vulnerability that threat actors can use to take over the vulnerable website completely, researchers have warned.
Cybersecurity researcher Jerome Bruandet from NinTechNet said he discovered a flaw in Elementor Pro that allows an authenticated attacker to create an administrator account. That gives the attackers a range of possibilities, including one that’s being actively used - to redirect all traffic to an external malicious website.
ArsTechnica reports that the traffic from compromised websites is being redirected to away[dot]trackersline[dot]com.
Critical vulnerability
WordPress security experts PatchStack also found some threat actors uploading malicious files to vulnerable websites, including wp-resortpack.zip, wp-rate.php, and lll.zip.
The vulnerability has been rated 8.8/10, earning the status “critical”. Users are advised to update Elementor Pro to 3.11.7, or later, as all older versions are vulnerable to the flaw.
Critical WordPress plugin bug leaves millions of sites open to attack>Elementor website builder review>These are the best ID theft protection services right now
This is not the first time a high-severity flaw has been discovered in Elementor. In April last year, cybersecurity researchers from Wordfence found a flaw that allowed any authenticated user to upload arbitrary PHP code. Back then, the plug-in was in version 3.6.0, which introduced a new Onboarding module. The goal of the module was to simplify the plug-in’s initial setup, but it came with an “unusual” method to register AJAX actions, with no capability checks.
Consequently, any logged-in user could use any of the onboarding functions. That being said, an attacker could, for example, create a malicious “Elementor Pro” plugin zip, and use the onboarding functions to install it. The site would then execute any code present in the plugin, including code designed to take over the site, or access additional resources on the server. The functions could also be used to completely deface the site, researchers were saying at the time.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Today, Elementor Pro is used by more than 12 million websites, ArsTechnica concludes.
Via:ArsTechnica
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
