Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.
The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a
premium plugin running on more than 12 million sites powered by the WordPress content management system.Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin.When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.
The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet.Last week, Elementor, the developer of the Elementor Pro plugin,
released version 3.11.7, which patched the flaw.In a post published on Tuesday, Bruandet wrote:
An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (
users_can_register) and setting the default role (
default_role) to “administrator”, change the administrator email address (
admin_email) or, as shown below, redirect all traffic to an external malicious website by changing
siteurlamong many other possibilities:MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`=’siteurl’; +———–+————-+——————+———-+ | option_id | option_name | option_value | autoload | +———–+————-+——————+———-+ | 1 | siteurl | https://evil.com | yes | +———–+————-+——————+———-+ 1 row in set (0.001 sec)
Now, researchers with a separate security firm, PatchStack,
report that the vulnerability is under active exploitation.Attacks are coming from a variety of IP addresses, including:
– 193.169.194.63
– 193.169.195.64
– 194.135.30.6
Files uploaded to compromised sites often have the following names:
– wp-resortpack.zip
– wp-rate.php
– lll.zip
URLs of compromised sites are often being changed to:
– away[dot]trackersline[dot]com
The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component.When WooCommerce is running, this script registers the following AJAX actions:
/** * Register Ajax Actions.* * Registers ajax action used by the Editor js.
* * @since 3.5.0 * * @param Ajax $ajax */ public function register_ajax_actions( Ajax $ajax ) { // `woocommerce_update_page_option` is called in the editor save-show-modal.js.$ajax->register_ajax_action( ‘pro_woocommerce_update_page_option’, [ $this, ‘update_page_option’ ] ); $ajax->register_ajax_action( ‘pro_woocommerce_mock_notices’, [ $this, ‘woocommerce_mock_notices’ ] ); }
and
/** * Update Page Option.* * Ajax action can be used to update any WooCommerce option.* * @since 3.5.0 * * @param array $data */ public function update_page_option( $data ) { update_option( $data[‘option_name’], $data[‘editor_post_id’] ); }
The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained.He continued:
Elementor uses its own AJAX handler to manage most of its AJAX actions, including
pro_woocommerce_update_page_option, with the global
elementor_ajaxaction.It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :/** * Handle ajax request.
* * Verify ajax nonce, and run all the registered actions for this request.* * Fired by `wp_ajax_elementor_ajax` action.* * @since 2.0.0 * @access public */ public function handle_ajax_request() { if ( ! $this->verify_request_nonce() ) { $this->add_response_data( false, esc_html__( ‘Token Expired.’, ‘elementor’ ) ) ->send_error( Exceptions::UNAUTHORIZED ); } …
Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable.It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post..