Hackers exploit security bug in a WordPress plugin used by 11 million websites

Threat actors are actively exploiting a high-severity security bug in a WordPress plugin used by over 11 million websites 

April 03, 2023 12:42 pm | Updated 12:42 pm IST

Threat actors are actively exploiting a high-severity security bug in a WordPress plugin.

Threat actors are actively exploiting a high-severity security bug in a WordPress plugin. | Photo Credit: Special Arrangement

Threat actors are actively exploiting a security bug in Elementor Pro, a popular WordPress plugin used by over 11 million websites.

The security bug allows authenticated users like shop customers or site managers to change the site’s settings including administrator settings thereby opening the risk of websites being completely taken over.

The flaw, found to exist due to broken access control on the plugin’s WooCommerce module, could allow attackers to modify options in the WordPress database without proper validation. The vulnerability was first discovered in March 2023, NinTechNet, a cybersecurity company shared in a blog post.

Attackers were also found to be exploiting the security bug to redirect users to malicious websites or upload backdoors to the breached site. And while details of these backdoors are not clear, attackers could exploit them to upload additional files to compromised servers. These files could allow attackers to gain full access to the WordPress site to steal data or install additional malicious code.

(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)

The security bug in Elementor Pro could be exploited only if the WooCommerce plugin is being used simultaneously on the website and was found to have been actively exploited in the wild

“This vulnerability is currently being exploited and we are seeing attacks from multiple IP addresses, “ said Patchstack, a WordPress security firm, in a security advisory on its blog.

Users have been advised to update their websites as soon as possible if they are using the Elementor Pro plugin, the free-to-use version of the plugin was not found to have been affected by the flaw.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.