An unknown threat actor is actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.
The flaw, described as a broken access control case, impacts versions 3.11.6 and earlier. It was handled by the plugin manager in version 3.11.7 which was released on March 22nd.
The successful exploitation of a high-severity vulnerability allowed an authenticated attacker to complete a takeover of a WooCommerce-enabled WordPress site.
“This allows malicious users to enable the sign-up page (if disabled) and assign the default user role to administrator so they can create accounts that have administrator privileges immediately,” Patchstack said in commemoration March 30, 2023.
“After this, they tend to redirect the site to other malicious domains or upload malicious plug-ins or backdoors to further exploit the site.”
Credited with find and report vulnerabilities on March 18, 2023, is NinTechNet security researcher Jerome Bruandet.
Patchstack further notes that the flaw is currently being abused in the wild from multiple IP addresses intent on uploading arbitrary PHP and ZIP archive files.
Elementor Pro plugin users are advised to update to 3.11.7 or 3.12.0, which are the latest versions, as soon as possible to mitigate potential threats.
The advisory comes more than a year after the Essential Addons for Elementor plugin was found to contain a critical vulnerability that could result in arbitrary code execution on compromised websites.
Last week, WordPress issued an automatic update to fix another critical bug in the WooCommerce Payments plugin that allowed an unauthenticated attacker to gain administrator access to a vulnerable site.