WordPress Elementor Pro Plugin

In April 2023, hackers began actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites. The vulnerability, which is of high severity and carries a CVSS rating of 8.8, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system and is exploitable when the WooCommerce plugin is also deployed.

Sites with both Elementor Pro versions prior to 3.11.7 and WooCommerce can create a broken access control vulnerability. An attacker can log in as any user and use the flaw to reconfigure WooCommerce and grant themselves admin access and full control of the site. This makes the user of these plugins vulnerable to complete takeover by any logged in user, which can lead to the page being defaced or viewers being redirected to malicious sites.

Elementor, the developer of the plugin, released version 3.11.7, which patched the flaw. It’s Randori’s recommendation that users ensure they’re running version 3.11.7 or later and that they avoid reusing passwords. It is also recommended that users check their sites for signs of infection such as:

• Site redirects to a malicious website

• New administrator accounts are created without your knowledge

• Site URL is changed

• Site traffic is redirected to an external malicious website

• Files uploaded to compromised sites often have specific names

To evaluate potential points of exposure, Randori customers can leverage the Randori platform during investigations by searching for Targets where the “Service Name” is either "Elementor Pro” OR “WooCommerce”. Vulnerable sites will be those hostnames or IP addresses that have Targets for both plugins.