Researchers have reported that hackers are taking advantage of a critical vulnerability present in a commonly used WordPress plugin, which could potentially allow them to control millions of websites.
The vulnerability, with a severity rating of 8.8 out of 10, is present in Elementor Pro, a popular plugin used by over 12 million websites that use the WordPress content management system.
Elementor Pro offers a range of features for creating high-quality websites, including WooCommerce, a separate plugin for WordPress. If certain conditions are met, including a user account on the site, a subscriber or customer can create new accounts with complete administrator privileges.
The vulnerability was discovered by Jerome Bruandet, a security researcher with NinTechNet. Elementor has since released a patch for the flaw with version 3.11.7. He wrote:
An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator”, change the administrator email address or redirect all traffic to an external malicious website by changing among many other possibilities.
Researchers from a separate security firm PatchStack have confirmed that the vulnerability is currently being used for exploitation.
If you are an Elementor Pro user, it is important to confirm that your version is 3.11.7 or above since any earlier version is susceptible to vulnerability. Additionally, it is advisable for these users to examine their websites for indications of infection.
Interestingly, ProPakistani is also developed on WordPress.