GOT UPDATES? — Hackers exploit WordPress plugin flaw that gives full control of millions of sites Elementor Pro fixed the vulnerability, but not everyone has installed the patch.
Dan Goodin – Mar 31, 2023 10:40 pm UTC EnlargeGetty Images reader comments 29 with Share this story Share on Facebook Share on Twitter Share on Reddit
Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.
The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the sitesay a subscriber or customercan create new accounts that have full administrator privileges.
The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:
An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to administrator, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities: MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`=’siteurl’; +———–+————-+——————+———-+ | option_id | option_name | option_value | autoload | +———–+————-+——————+———-+ | 1 | siteurl | https://evil.com | yes | +———–+————-+——————+———-+ 1 row in set (0.001 sec)
Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including: Advertisement 193.169.194.63 193.169.195.64 194.135.30.6
Files uploaded to compromised sites often have the following names: wp-resortpack.zip wp-rate.php lll.zip
URLs of compromised sites are often being changed to: away[dot]trackersline[dot]com
The broken access control vulnerability stems from Elementor Pros use of the elementor-pro/modules/woocommerce/module.php component. When WooCommerce is running, this script registers the following AJAX actions: /** * Register Ajax Actions. * * Registers ajax action used by the Editor js. * * @since 3.5.0 * * @param Ajax $ajax */ public function register_ajax_actions( Ajax $ajax ) { // `woocommerce_update_page_option` is called in the editor save-show-modal.js. $ajax->register_ajax_action( ‘pro_woocommerce_update_page_option’, [ $this, ‘update_page_option’ ] ); $ajax->register_ajax_action( ‘pro_woocommerce_mock_notices’, [ $this, ‘woocommerce_mock_notices’ ] ); }
and /** * Update Page Option. * * Ajax action can be used to update any WooCommerce option. * * @since 3.5.0 * * @param array $data */ public function update_page_option( $data ) { update_option( $data[‘option_name’], $data[‘editor_post_id’] ); }
The update_option function is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input arent validated and the function lacks a capability check to restrict its access to a high privileged user only, Bruandet explained. He continued:
Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the elementor/core/common/modules/ajax/module.php script of the free version (which is required to run Elementor Pro) : /** * Handle ajax request. * * Verify ajax nonce, and run all the registered actions for this request. * * Fired by `wp_ajax_elementor_ajax` action. * * @since 2.0.0 * @access public */ public function handle_ajax_request() { if ( ! $this->verify_request_nonce() ) { $this->add_response_data( false, esc_html__( ‘Token Expired.’, ‘elementor’ ) ) ->send_error( Exceptions::UNAUTHORIZED ); } …
Anyone using Elementor Pro should ensure theyre running 3.11.7 or later, as all previous versions are vulnerable. Its also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post. reader comments 29 with Share this story Share on Facebook Share on Twitter Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin Email dan.goodin@arstechnica.com Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars