Hackers have managed to find a critical vulnerability in a widely used WordPress plugin that allows them to take complete control of millions of websites.
The vulnerability, which has a severity rating of 8,8 out of a possible 10, exists in Elementor Pro, a premium plugin that runs on more than 12 million websites powered by the WordPress content management system.
Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate additional of WordPress. When these conditions are met, anyone with an account on the site — for example a non-privileged subscriber — can create new accounts that have full administrative rights.
The vulnerability was discovered by Jerome Bruandet, a researcher of security company NinTechNet. Last week, the developer of Elementor Pro released version 3.11.7, which fixes the problem. In a post published on Tuesday, Bruandet said:
An attacker could exploit the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, can change the admin email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing the siteurl among others:
Researchers from the company security PatchStack, report that the exploit is currently being actively used. So if your blog is running the Elementor Pro plugin, upgrade immediately.