Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.
The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.
The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:
An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (
users_can_register
) and setting the default role (default_role
) to “administrator”, change the administrator email address (admin_email
) or, as shown below, redirect all traffic to an external malicious website by changingsiteurl
among many other possibilities:MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl'; +-----------+-------------+------------------+----------+ | option_id | option_name | option_value | autoload | +-----------+-------------+------------------+----------+ | 1 | siteurl | https://evil.com | yes | +-----------+-------------+------------------+----------+ 1 row in set (0.001 sec)
Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:
- 193.169.194.63
- 193.169.195.64
- 194.135.30.6
Files uploaded to compromised sites often have the following names:
- wp-resortpack.zip
- wp-rate.php
- lll.zip
URLs of compromised sites are often being changed to:
- away[dot]trackersline[dot]com
The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component. When WooCommerce is running, this script registers the following AJAX actions:
/** * Register Ajax Actions. * * Registers ajax action used by the Editor js. * * @since 3.5.0 * * @param Ajax $ajax */ public function register_ajax_actions( Ajax $ajax ) { // `woocommerce_update_page_option` is called in the editor save-show-modal.js. $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] ); $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] ); }
and
/** * Update Page Option. * * Ajax action can be used to update any WooCommerce option. * * @since 3.5.0 * * @param array $data */ public function update_page_option( $data ) { update_option( $data['option_name'], $data['editor_post_id'] ); }
The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained. He continued:
Elementor uses its own AJAX handler to manage most of its AJAX actions, including
pro_woocommerce_update_page_option
, with the globalelementor_ajax
action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :/** * Handle ajax request. * * Verify ajax nonce, and run all the registered actions for this request. * * Fired by `wp_ajax_elementor_ajax` action. * * @since 2.0.0 * @access public */ public function handle_ajax_request() { if ( ! $this->verify_request_nonce() ) { $this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) ) ->send_error( Exceptions::UNAUTHORIZED ); } ...
Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable. It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.
https://arstechnica.com/?p=1928488