Hackers managed to locate one critical vulnerability in a widely used WordPress plugin which enables them to take full control of millions of websites.
The vulnerability, which has a severity score of 8,8 out of a possible 10, exists in Elementor Pro, a premium plugin that runs on more than 12 million websites powered by the WordPress content management system.
Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When these conditions are met, anyone with an account on the site — for example a non-privileged subscriber — can create new accounts that have full administrative rights.
The vulnerability was discovered by Jerome Bruandet, a researcher of security company NinTechNet. Last week, the developer of Elementor Pro released version 3.11.7, which fixes the problem. In a post published on Tuesday, Bruandet said:
An attacker can exploit the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, he can change the address admin email (admin_email) or, as shown below, redirect all traffic to some external malicious website by changing the siteurl among other things:
Researchers from security firm PatchStack report that the exploit is being actively used right now. So if your blog is running the Elementor Pro plugin, upgrade immediately.
