A critical vulnerability found in a widely used WordPress plugin could allow attackers to take control of approximately 12 million websites if exploited, according to a statement released last week. According to the NinTechNet researcher, the flaw in question affects Elementor Pro, which allows you to create professional-looking websites even without knowledge of programming. It can be exploited when the plugin is used in conjunction with the WooCommerce online store-building tool.
If these conditions are met, anyone with an account on the impacted site can create new records by adding administrator privileges. From there, you can take control of the page, redirecting all of your traffic to a fraudulent website, as well as performing other malicious actions.
WordPress alerted users to the flaw and the availability of a solution to fix it.
According to the report, the attacks are carried out through the IPs 126.96.36.199, 188.8.131.52, and 184.108.40.206 and result in the installation of the files wp-resortpack.zip, wp-rate.php, and lll.zip on the hacked pages.
Update to protect yourself
As reported to the content management platform on March 18th, the flaw in the Elementor Pro plugin has already been fixed, with the release of a security patch on the 22nd of last month. Your site administrators need to perform the upgrade to protect their pages.
The bug affects Elementor Pro versions 3.11.6 and earlier, while the update brings the plugin to version 3.11.7, without the vulnerability. The platform reported having alerted all users of the tool and said that users of Ninja Firewall WP Edition and Ninja Firewall WP+ Edition are protected from the flaw.