Hackers Exploiting WordPress Plugin

One of the most popular WordPress plugins, Elementor Pro, used by over eleven million websites, is vulnerable to a high-severity vulnerability that hackers have actively exploited.

More than 12 million sites powered by WordPress have been affected by the vulnerability, which carries a severity rating of 8.8 out of 10.

EHA

Elementor Pro is a plugin that allows users to build professional-looking websites without knowing how to code. It provides drag-and-drop functionality like:- 

  • Theme building
  • A template collection
  • Custom widget support
  • WooCommerce support

Vulnerability Information

This critical vulnerability occurred in Elementor Pro version 3.11.6. It does, however, allow any authenticated user to update any WordPress setting that has been set on the site. 

To accomplish this, an AJAX action within Elementor Pro is used that does not have the proper privilege control in place.

The vulnerability affects versions 3.11.6 and the below of the plugin. As a result, malicious users can set the default role of the user account to administrate on the registration page, which instantly grants them administrator rights.

So, it’s strongly recommended that users must update their Elementor Pro plugin to version 3.11.7, released on March 22, 2023, in conjunction with the WooCommerce plugin running on the site.

Hackers actively exploited the Elementor Plugin Bug

Using the vulnerability in the Elementor Pro plugin, hackers redirect visitors to malicious domains or upload backdoors to the compromised website.

According to PatchStack, the following malicious files were uploaded that were used in the attack, and the files are named:- 

  • Wp-resortpark.zip
  • Wp-rate.php
  • lll.zip

As a result of this backdoor, the attacker could gain full access to the WordPress site, whether to steal data or install additional malicious software.

IP addresses to be Blocked

Adding the following IP addresses to a blocklist is recommended to help prevent attacks targeting vulnerable websites.

 The majority of attacks targeting vulnerable websites originate from these three IP addresses:-

  • 193.169[.]194.63
  • 193.169[.]195.64
  • 194.135[.]30.6

On March 18, 2023, NinTechNet researcher Jerome Bruandet discovered this vulnerability. He shared technical details on how it can be exploited using WooCommerce.

There is an issue with v3.11.6 and all previous versions that allow authenticated users to change the site’s settings and even take over the entire site by changing the site’s settings or doing a complete makeover.

By enabling registration and setting the default role to “administrator,” an authenticated attacker may be able to create an administrator account by exploiting the vulnerability. 

While changing the administrator’s email address and redirecting all traffic to an external malicious site could also be performed by the threat actor.

Even in some cases, security analysts have also observed that the URLs are being changed to:-

  • away[dot]trackersline[dot]com

So, update your Elementor Pro on your website as soon as possible since hackers are already attacking vulnerable websites due to the lack of updates.

Building Your Malware Defense Strategy – Download Free E-Book

Related Read:

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.