WordPress Plugin Exposes 11M Sites As Hackers Exploit An Alarming Security Flaw

wordpress sites being actively exploited thanks to plugins
No April Fools here; only April vulnerabilities abound with the popular WordPress addon Elementor, used by millions of websites worldwide. Adding insult to injury, threat actors are now exploiting this vulnerability to tweak settings and redirect traffic to malicious sites, among other problems.

Elementor is a Squarespace-like website builder to go over the top of WordPress, allowing drag-and-drop customization of a site without having to know programming or design. However, in versions before 3.11.7 with the premium edition of the tool, website owners who also used WooCommerce were vulnerable to full site takeover.

settings change wordpress sites being actively exploited thanks to plugins

This vulnerability is thanks to a string of features outlined in a blog post from Ninja Technologies Network, which explains that an Elementor site with WooCommerce loads “elementor-pro/modules/woocommerce/module.php.” This component registers an AJAX action called “pro_woocommerce_update_page_option,” which would allow an Administrator or Shop Manager to update WooCommerce options within the database containing configurations and options. However, the function that is called behind the “pro_woocommerce_update_page_option” does not have user input or privilege validations, meaning that any user of any privilege level can modify options.

leak wordpress sites being actively exploited thanks to plugins
You can leak the nonce used to verify that the AJAX request is coming from a privileged person.

While there are some protections upstream of this function that could prevent this attack from happening, it is possible to leak sensitive information to bypass these protections with any logged-in user account. With this all in mind, an attacker could create an administrator account, redirect site traffic to a malicious site, or do other nefarious activities.

Thankfully, this vulnerability has since been patched on March 22nd, just four days after it was discovered and reported to the authors.  However, Patchstack reports seeing active exploitation from several IP addresses, files being uploaded to vulnerable sites, and site URLs changing to attacker-controlled locations. Thus, those who use a premium version of Elementor and WooCommerce should update their sites to Elementor version 3.11.7 or later.