Unknown menace actors are actively exploiting a just lately patched safety vulnerability within the Elementor Professional web site builder plugin for WordPress.
The flaw, described as a case of damaged entry management, impacts variations 3.11.6 and earlier. It was addressed by the plugin maintainers in model 3.11.7 launched on March 22.
“Improved code safety enforcement in WooCommerce parts,” the Tel Aviv-based firm mentioned in its launch notes. The premium plugin is estimated for use on over 12 million websites.
Profitable exploitation of the high-severity flaw permits an authenticated attacker to finish a takeover of a WordPress website that has WooCommerce enabled.
“This makes it potential for a malicious consumer to activate the registration web page (if disabled) and set the default consumer position to administrator to allow them to create an account that immediately has the administrator privileges,” Patchstack mentioned in an alert of March 30, 2023.
“After this, they’re more likely to both redirect the positioning to a different malicious area or add a malicious plugin or backdoor to additional exploit the positioning.”
Credited with discovering and reporting the vulnerability on March 18, 2023, is NinTechNet safety researcher Jerome Bruandet.
Patchstack additional famous that the flaw is at the moment being abused within the wild from a number of IP addresses desiring to add arbitrary PHP and ZIP archive recordsdata.
Customers of the Elementor Professional plugin are really useful to replace to three.11.7 or 3.12.0, which is the most recent model, as quickly as potential to mitigate potential threats.
Turn out to be an Incident Response Professional!
Unlock the secrets and techniques to bulletproof incident response – Grasp the 6-Section course of with Asaf Perlman, Cynet’s IR Chief!
The advisory comes over a yr after the Important Addons for Elementor plugin was discovered to include a important vulnerability that might end result within the execution of arbitrary code on compromised web sites.
Final week, WordPress issued auto-updates to remediate one other important bug within the WooCommerce Funds plugin that allowed unauthenticated attackers to realize administrator entry to weak websites.
I just wanted to express my gratitude for this post. It has been immensely helpful in solving a problem I was facing. Thank you for sharing your knowledge and expertise!
Your post is a true gem! It’s packed with useful information, and I appreciate the practical tips you’ve included. Thank you for creating such a valuable resource!