Threat actors are actively exploiting a security bug in Elementor Pro, a popular WordPress plugin used by over 11 million websites.
The security bug allows authenticated users like shop customers or site managers to change the site’s settings including administrator settings thereby opening the risk of websites being completely taken over.
The flaw, found to exist due to broken access control on the plugin’s WooCommerce module, could allow attackers to modify options in the WordPress database without proper validation. The vulnerability was first discovered in March 2023, NinTechNet, a cybersecurity company shared in a blog post.
Attackers were also found to be exploiting the security bug to redirect users to malicious websites or upload backdoors to the breached site. And while details of these backdoors are not clear, attackers could exploit them to upload additional files to compromised servers. These files could allow attackers to gain full access to the WordPress site to steal data or install additional malicious code.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
The security bug in Elementor Pro could be exploited only if the WooCommerce plugin is being used simultaneously on the website and was found to have been actively exploited in the wild
“This vulnerability is currently being exploited and we are seeing attacks from multiple IP addresses, “ said Patchstack, a WordPress security firm, in a security advisory on its blog.
Users have been advised to update their websites as soon as possible if they are using the Elementor Pro plugin, the free-to-use version of the plugin was not found to have been affected by the flaw.