The popular WordPress plugin Elementor Pro is used on more than 11 million websites. As per the reports, hackers aggressively exploit a bug in this WordPress plugin. However, this plugin supports numerous features like drag and drop, theme building, an assortment of templates, custom widget care, and a WooCommerce builder (online shops).
Researcher Jerome Bruandet exposed this security error in mid-March. The problem is disturbing version 3.11.6 of the plugin and all previous versions. This bug lets authentic users change the site’s settings and is used by hackers to perform a wide-ranging site overthrow.
This bug distresses a shattered access control on the plugin’s WooCommerce module. This problem lets any user modify WordPress database options without proper authentication.
How are Hackers Exploiting this Bug?
The security firm PatchStack has stated that a vulnerability is serving the attackers to exploit this Elememntor Pro plugin to redirect visitors to dangerous sites. That suffers from inadequately applied input authentication and cannot conduct skill checks. Moreover, the names of the backdoors were also uploaded in these outbreaks, which are
- Wp-resortpark.zip
- Wp-rate.php
- III.zip
The model of the III.zip archive was spotted as comprising a PHP script. A remote attacker uses this to upload extra files to the negotiated server. The backdoor allows the hackers to improve full access to WordPress and snip data or install extra malicious codes.
So, if your site uses the Elementor Pro plugin of WordPress, you must upgrade to version 3.11.7 or later as soon as possible because the hackers are currently targeting vulnerable websites.