Around 11 million websites use the popular WordPress plugin Elementor Pro, which has a security flaw that hackers are proactively exploiting. The security flaw makes it possible for authenticated individuals, such as site managers or customers, to modify administrator settings and raises the possibility of websites being entirely taken over.
The bug, which was discovered to exist because the WooCommerce module of the plugin’s access control system was faulty, might enable hackers to change parameters in the WordPress website without sufficient authentication. The security flaw in Elementor Pro could only be used in conjunction with the WooCommerce plugin, which was discovered to have been actively used in the wild.
Attackers were also discovered to be using the security flaw to deploy backdoors to the compromised website or reroute clients to fraudulent websites. Even though the specifics of these backdoors are unclear, attackers could use them to upload more files to infected servers. These files could provide hackers complete access to the WordPress website, allowing them to steal data or inject more harmful code.
“This vulnerability is currently being exploited and we are seeing attacks from multiple IP addresses, “ said Patchstack, a WordPress security firm, in a security advisory on its blog.
The free version of the Elementor Pro plugin was not discovered to have been impacted by the bug. Also, the users have been recommended to upgrade their website as soon as they can.