How hackers are exploiting this bug in a WordPress plugin used by over 11 million websites

Elementor Pro is a popular WordPress plugin which is used by over eleven million websites. This web page building plugin enables users who doesn’t know how to code to create professional sites. This plugin supports multiple features like drag and drop, theme building, a collection of templates, custom widget support and a WooCommerce builder (for online shops). According to a report by BleepingComputer, hackers are actively exploiting a bug in this WordPress plugin. This security flaw was discovered by a researcher named Jerome Bruandet in March. Bruandet has also shared technical details about how hackers are exploiting the bug when users are installing this plugin alongside WooCommerce.

WordPress Elementor Pro bug: What is it
The report claims that this issue is affecting the version 3.11.6 of the plugin and all the versions before it. This bug is allowing authenticated users (like shop customers or site members) to change the site’s settings. The bug can also be used by hackers to perform a complete site takeover.

Bruandet explains that the bug is affecting a broken access control on the plugin’s WooCommerce module. This issue is enabling any user to alter WordPress options in the database without proper validation.

A vulnerable AJAX action named “pro_woocommerce_update_page_option” is helping the attackers to exploit this flaw. This action suffers from weakly implemented input validation and is being unable to conduct capability checks.

Bruandet explains that, “An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing site url among many other possibilities.”

However, it is important to note that for hackers to exploit this bug the sites needs to have the the WooCommerce plugin installed as well. The WooCommerce plugin is reportedly activating the vulnerable module on Elementor Pro.

How hackers are exploiting this bug
Security firm PatchStack has reported that hackers are actively exploiting this Elementor Pro plugin bug to redirect visitors to dangerous sites. Hackers are also reportedly uploading backdoors to the breached website. The report also shares the names of the backdoor uploaded in these attacks, which are — wp-resortpark.zip, wp-rate.php, or lll.zip.

A sample of the lll.zip archive was spotted containing a PHP script. A remote attacker use this to upload additional files to the compromised server. This backdoor is also enabling hackers to gain full access to the WordPress site. Attackers can access this backdoor to to steal data or install additional malicious codes.

As per the report, most of the attacks that are targeting the exposed websites are originating from these IP addresses — 193.169.194.63, 193.169.195.64, 194.135.30.6. Users have also been suggested to add these addresses to the blocklist.

Sites which uses Elementor Pro are also suggested to upgrade to version 3.11.7 or later immediately. WordPress has also recently force-updated the WooCommerce Payments plugin for online stores. This update addresses a critical security flaw that enabled unauthenticated attackers to gain administrator access to exposed sites.

FacebookTwitterLinkedin

Elementor Pro is a popular WordPress plugin which is used by over eleven million websites. This web page building plugin enables users who doesn’t know how to code to create professional sites. This plugin supports multiple features like drag and drop, theme building, a collection of templates, custom widget support and a WooCommerce builder (for online shops). According to a report by BleepingComputer, hackers are actively exploiting a bug in this WordPress plugin. This security flaw was discovered by a researcher named Jerome Bruandet in March. Bruandet has also shared technical details about how hackers are exploiting the bug when users are installing this plugin alongside WooCommerce.

WordPress Elementor Pro bug: What is it
The report claims that this issue is affecting the version 3.11.6 of the plugin and all the versions before it. This bug is allowing authenticated users (like shop customers or site members) to change the site’s settings. The bug can also be used by hackers to perform a complete site takeover.

Bruandet explains that the bug is affecting a broken access control on the plugin’s WooCommerce module. This issue is enabling any user to alter WordPress options in the database without proper validation.

A vulnerable AJAX action named “pro_woocommerce_update_page_option” is helping the attackers to exploit this flaw. This action suffers from weakly implemented input validation and is being unable to conduct capability checks.

Bruandet explains that, “An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing site url among many other possibilities.”

However, it is important to note that for hackers to exploit this bug the sites needs to have the the WooCommerce plugin installed as well. The WooCommerce plugin is reportedly activating the vulnerable module on Elementor Pro.

How hackers are exploiting this bug
Security firm PatchStack has reported that hackers are actively exploiting this Elementor Pro plugin bug to redirect visitors to dangerous sites. Hackers are also reportedly uploading backdoors to the breached website. The report also shares the names of the backdoor uploaded in these attacks, which are — wp-resortpark.zip, wp-rate.php, or lll.zip.

A sample of the lll.zip archive was spotted containing a PHP script. A remote attacker use this to upload additional files to the compromised server. This backdoor is also enabling hackers to gain full access to the WordPress site. Attackers can access this backdoor to to steal data or install additional malicious codes.

As per the report, most of the attacks that are targeting the exposed websites are originating from these IP addresses — 193.169.194.63, 193.169.195.64, 194.135.30.6. Users have also been suggested to add these addresses to the blocklist.

Sites which uses Elementor Pro are also suggested to upgrade to version 3.11.7 or later immediately. WordPress has also recently force-updated the WooCommerce Payments plugin for online stores. This update addresses a critical security flaw that enabled unauthenticated attackers to gain administrator access to exposed sites.

FacebookTwitterLinkedin