Unknown people are actively exploiting a recently patched vulnerability in the Elementor Pro website builder plugin for WordPress.
The flaw, identified as a bad access control state, affects versions 3.11.6 and earlier. It was handled by plugin developers with version 3.11.
“Improved code security implementation in WooCommerce components,” the Tel Aviv-based company said in its release notes. It is estimated that the premium plugin is used on more than 12 million sites.
Successful exploitation of the high severity flaw allows an authenticated attacker to hijack a WooCommerce-enabled WordPress site.
“This makes it possible for a malicious user to open the registration page and set the default user role as administrator, so they can gain administrative privileges instantly,” Patchstack said in a March 30 warning.
“After that, they will likely redirect the site to another malicious domain, or add malware and create a backdoor to get more use out of it.”
It is NinTechNet security researcher Jerome Braundet who reported this vulnerability on March 18, 2023.
Elementor Pro users should update the plugin version to 3.12.
Writer: Batuhan IRMALI
Biblografi:
