Almost every modern web developer knows about the plugin elementor pro, a tool that was created by Yoni Luksenberg and Ariel Klikstein in the year 2016. With no doubt, elementor pro has been able to accelerate and support web-developers in creating responsive websites utilizing the power of the inbuilt libraries, that have quite a handful of beautiful templates provided in the free version, and amazing ones as well in the paid version.
However, like every other plugin it can be deduce that detecting flaws in elementor is not an exception as well. It has been reported that unknown cybercriminals are leveraging a vulnerability that was recently detected. The vulnerability detected was associated with the A01 of OWASP Top 10 known as Broken Access Control (BAC), and impacts versions of Elementor pro 3.11.6 and older versions. It is known that the company as gone ahead to address this issue in the version 3.11.7 they released on March 22, 2023.
According to information and sources the company stated that the version 3.11.7 is based on improved code security enforcement in the WooCommerce components. As of this year it has been estimated that over 8.7 million websites are actively utilizing this plugin, and the exploitation that is associated with the vulnerability discovered allows threat actors who have successfully authenticated themselves to an existing website running WooCommerce enabled; can completely take over the website.
According to Patch stack “This makes it possible for a malicious user to turn on the registration page (if disabled), and set the default user role to an administrator which enables them to create accounts that instantly has the administrator privileges and access.” – 30th March 2023
“After this, they are likely to either redirect the site to another malicious domain, upload a malicious plugin or backdoor to further exploit the site.” – Patch Stack
The vulnerability was detected by the researcher of NinTechNet Security “Jerome Bruandet”. According to Patchstack, it was further described that the vulnerability is being exploited by these threat actors from various geo-locations by uploading malicious PHP and ZIP archive files. To see how this code of exploitation works, read more about it here at NinTechNet Security.
It can be deduced that the new vulnerability is one to have occurred since the last 12-months after a critical vulnerability was detected in Essential Addons for Elementor Plugin. The vulnerability allows the execution of malicious code on affected websites.
The developers of the plugin who have successfully rolled out updated version of the plugin of 3.11.7 – 3.12.0 have advised users of the plugin to update to the latest version, a mitigative procedure towards the potential threat.
It should also be noted that WordPress has gone ahead to released a new version of 6.2 in the recent update they rolled out. The update fixes a critical flaw which exist in the WooCommerce Payments Plugin, which allows unauthenticated threat actors to have administrator access to affected websites.
Please do let us know in the comment section what are your thoughts about this.