A serious vulnerability existed in the popular WordPress plugin Elementor Pro that could allow website takeovers. Even worse, the vulnerability went under attack soon after gaining traction, requiring WP admins to install the bug fixes quickly.
Elementor Pro Plugin Vulnerability Risked Site Admins
According to the details shared by the discoverer of this vulnerability, Jerome Bruandet, in a post, a high-severity site takeover vulnerability affected the Elementor Pro plugin.
Bruandet observed the vulnerability affecting the premium version only, hence websites using the Elementor (free) version remained safe from the flaw.
Specifically, the researcher observed a lack of validation in the update_option, a function when called by the pro_woocommerce_update_page_option. While this function allows the site admin to update the required WooCommerce options, the lack of user validation allowed unrestricted access to unprivileged authenticated users. Hence, an authenticated adversary could create admin accounts and take over the target website.
Elementor Pro is the premium version of the popular WordPress plugin Elementor, facilitating site admins in building attractive websites effortlessly. The plugin currently boasts over 5 million active installations. That means any vulnerabilities in this plugin may risk millions of websites globally upon exploitation.
That’s what Patchstack highlighted in its advisory, notifying users of active exploitation of the Elementor Pro vulnerability. They observed numerous exploitation attempts from different IP addresses (mostly involving these three IPs: 193.169.194.63, 193.169.195.64, and 194.135.30.6). Also, they noticed the attackers redirecting the users to malicious URLs, which could not only damage the infected website’s credibility but could also threaten the security of site visitors.
The said vulnerability affected Elementor Pro versions version 3.11.6 and below. When notified about the flaw, the plugin developers patched the issue and released the fix with version 3.11.7.
Patchstack urges all site admins using Elementor Pro to update their sites with the latest plugin release (3.11.7 or higher) to receive the fix. The plugin’s official WordPress page lists the current release as 3.12.0.