Hackers have been detected actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress Plugin, which is used by over 11 million websites. Elementor Pro is a WordPress page builder plugin that allows users to easily build professional-looking sites without the need to know how to code. The plugin features drag-and-drop, theme building, a template collection, custom widget support, and WooCommerce builder for online shops. The vulnerability impacts versions v3.11.6 and earlier and allows authenticated users to change the site’s settings and perform a full takeover of the site. The vulnerability requires Elementor Pro to be installed along with the WooCommerce builder and concerns a broken access control in Elementor Pro’s WooCommerce module that allows any authenticated user to modify WordPress options in the database without proper validation. This vulnerability was discovered by the NinTechNet researcher Jerome Bruandet on March 18th.
The WordPress security firm PatchStack has since reported that hackers are actively exploiting this vulnerability to redirect users to malicious domains as well as to upload backdoors in breached sites. The backdoors seen being uploaded have taken the names of “wp-resortpark.zip”, “wp-rate.php”, and “lll.zip”. The backdoors uploaded allow for data to be stolen as well as the installation of additional code. The majority of the attacks seen so far have originated from the following IPs:
- 193[.]169[.]194[.]63
- 193[.]169[.]195[.]64
- 194[.]135[.]30[.]6
This vulnerability has been patched in the latest version of Elementor Pro, v3.11.7. This vulnerability follows another vulnerability in the WooCommerce Payments plugin that was patched last week through a force-update from WordPress.
Analyst Notes
This article demonstrates the growing problem of supply-chain attacks that are beginning to plague the cybersecurity industry. Many organizations are beginning to use a larger number of 3rd party tools to aid in their operations, with many of these 3rd party tools employing their own 3rd party tools themselves. While this often aids developers, as they don’t have to program everything from scratch, this also opens the door for a greater number of potential vulnerabilities to exist in any given environment. The best recommendation for an organization is to ensure two things – an adequate threat intelligence program and an adequate patching schedule. With both, an organization can ensure that they stay up to date on the latest vulnerabilities and exploits, allowing them to get their systems patched before they are used maliciously against their organization.
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-elementor-pro-wordpress-plugin-with-11m-installs/
