Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress.
The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22.
“Improved code security enforcement in WooCommerce components,” the Tel Aviv-based company said in its release notes. The premium plugin is estimated to be used on over 12 million sites.
“This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges,” Patchstack said in an alert of March 30, 2023.
Patchstack further noted that the flaw is currently being abused in the wild from several IP addresses intending to upload arbitrary PHP and ZIP archive files.
Users of the Elementor Pro plugin are recommended to update to 3.11.7 or 3.12.0, which is the latest version, as soon as possible to mitigate potential threats.
Last week, WordPress issued auto-updates to remediate another critical bug in the WooCommerce Payments plugin that allowed unauthenticated attackers to gain administrator access to vulnerable sites.
Source: https://thehackernews.com/