Go to listing page

Exploited Elementor Pro Plugin Under Attack; Affects Over 11 Million Sites

Exploited Elementor Pro Plugin Under Attack; Affects Over 11 Million Sites
The Elementor Pro plugin for WordPress is being targeted by hackers who are exploiting a critical vulnerability in it. This vulnerability affects over 11 million websites that have installed the Elementor Pro plugin.

What’s Elementor Pro plugin?

It is a page builder that enables users to create visually appealing websites without requiring coding knowledge. It includes features such as drag-and-drop functionality, theme building, and a builder for WooCommerce online shops, among others.

What do we know about the bug?

  • The vulnerability affects version 3.11.6 of Elementor Pro and all previous versions. It enables authenticated users to modify the website's settings or even gain full control of the site.
  • The flaw is a result of broken access control within the plugin's WooCommerce module, allowing any user to modify WordPress options in the database without proper validation. 
  • The exploit is performed through the use of a vulnerable AJAX action, pro_woocommerce_update_page_option, which lacks proper input validation and capability checks.

Why is it bugging us?

The flaw can be exploited by authenticated attackers to perform a range of malicious actions. 
  • For instance, they can create an administrator account by enabling registration and setting the default role to "administrator," change the administrator email address, or redirect website traffic to a malicious external website by modifying the site's URL.
  • Currently, hackers are exploiting this Elementor Pro vulnerability to redirect visitors to malicious domains such as or upload backdoors to compromised websites.

WooCommerce in hot water

  • In March, researchers found a critical flaw in the WooCommerce Payments plugin that has over half million installs.
  • While the entire details of the flaw have not been revealed yet, successful exploitation of the flaw enables an unauthenticated admin to take over websites.
  • Users are, henceforth, recommended to update woocommerce-payments to version 5.6.2 immediately, change admin passwords, and rotate WooCommerce API keys.

The bottom line 

Vulnerabilities like the above keep popping up every now and then, highlighting the need to enable automatic updates. As hackers are targeting vulnerable websites, it is imperative that users follow proper cyber hygiene and prevent their websites from being abused.
Cyware Publisher

Publisher

Cyware