Hackers have managed to find a critical vulnerability in a widely used WordPress plugin that allows them to take complete control of millions of websites.
The vulnerability, which has a severity rating of 8,8 out of a possible 10, exists in Elementor Pro, a premium plugin that runs on more than 12 million websites powered by the WordPress content management system.
Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When these conditions are met, anyone with an account on the site — for example a non-privileged subscriber — can create new accounts that have full administrative rights.
The vulnerability was discovered by Jerome Bruandet, a researcher of security company NinTechNet. Last week, the developer of Elementor Pro released version 3.11.7, which fixes the problem. In a post published on Tuesday, Bruandet said:
An attacker can exploit the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, can change the administrator's email address (admin_email), or, as shown below, redirects all traffic to some external malicious website by changing the siteurl among others:
Researchers from security firm PatchStack report that the exploit is being actively used right now. So if your blog is running the Elementor Pro plugin, upgrade immediately.
