{"id":624340,"date":"2023-04-01T09:49:13","date_gmt":"2023-04-01T14:49:13","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/01\/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites\/"},"modified":"2023-04-01T09:49:13","modified_gmt":"2023-04-01T14:49:13","slug":"hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/01\/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites\/","title":{"rendered":"Hackers exploit WordPress plugin flaw that gives full control of millions of sites"},"content":{"rendered":"<div>\n<h4>\n      GOT UPDATES?    \u2014<br \/>\n<\/h4>\n<h2 itemprop=\"description\">Elementor Pro fixed the vulnerability, but not everyone has installed the patch.<\/h2>\n<section>\n<p itemprop=\"author creator\" itemscope itemtype=\"http:\/\/schema.org\/Person\">\n      <a itemprop=\"url\" href=\"https:\/\/arstechnica.com\/author\/dan-goodin\/\" rel=\"author\"><span itemprop=\"name\">Dan Goodin<\/span><\/a><br \/>\n    &#8211;  <time data-time=\"1680302419\" datetime=\"2023-03-31T22:40:19+00:00\">Mar 31, 2023 10:40 pm UTC<\/time>\n<\/p>\n<\/section><\/div>\n<div itemprop=\"articleBody\">\n<figure>\n  <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2022\/05\/caution-tape-800x600.jpeg\" alt=\"Hackers exploit WordPress plugin flaw that gives full control of millions of sites\"><figcaption>\n<p>Getty Images<\/p>\n<\/figcaption><\/figure>\n<p>Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.<\/p>\n<p>The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a <a href=\"https:\/\/elementor.com\/pricing\/\">premium plugin<\/a> running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site\u2014say a subscriber or customer\u2014can create new accounts that have full administrator privileges.<\/p>\n<p>The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, <a href=\"https:\/\/elementor.com\/pro\/changelog\/\">released<\/a> version 3.11.7, which patched the flaw. In a <a href=\"https:\/\/blog.nintechnet.com\/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin\/\">post<\/a> published on Tuesday, Bruandet wrote:<\/p>\n<blockquote>\n<p>An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (<code>users_can_register<\/code>) and setting the default role (<code>default_role<\/code>) to \u201cadministrator\u201d, change the administrator email address (<code>admin_email<\/code>) or, as shown below, redirect all traffic to an external malicious website by changing <code>siteurl<\/code> among many other possibilities:<\/p>\n<pre>MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';\n+-----------+-------------+------------------+----------+\n| option_id | option_name | option_value     | autoload |\n+-----------+-------------+------------------+----------+\n|\t\t 1 | siteurl     | https:\/\/evil.com | yes \t |\n+-----------+-------------+------------------+----------+\n1 row in set (0.001 sec)<\/pre>\n<\/blockquote>\n<p>Now, researchers with a separate security firm, PatchStack, <a href=\"https:\/\/patchstack.com\/articles\/critical-elementor-pro-vulnerability-exploited\/\">report<\/a> that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:<\/p>\n<ul>\n<li>193.169.194.63<\/li>\n<li>193.169.195.64<\/li>\n<li>194.135.30.6<\/li>\n<\/ul>\n<p>Files uploaded to compromised sites often have the following names:<\/p>\n<ul>\n<li>wp-resortpack.zip<\/li>\n<li>wp-rate.php<\/li>\n<li>lll.zip<\/li>\n<\/ul>\n<p>URLs of compromised sites are often being changed to:<\/p>\n<ul>\n<li>away[dot]trackersline[dot]com<\/li>\n<\/ul>\n<p>The broken access control vulnerability stems from Elementor Pro\u2019s use of the \u201celementor-pro\/modules\/woocommerce\/module.php\u201d component. When WooCommerce is running, this script registers the following AJAX actions:<\/p>\n<pre>\/**\n * Register Ajax Actions.\n *\n * Registers ajax action used by the Editor js.\n *\n * @since 3.5.0\n *\n * @param Ajax $ajax\n *\/\npublic function register_ajax_actions( Ajax $ajax ) {\n   \/\/ `woocommerce_update_page_option` is called in the editor save-show-modal.js.\n   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );\n   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );\n}<\/pre>\n<p>and<\/p>\n<pre>\/**\n * Update Page Option.\n *\n * Ajax action can be used to update any WooCommerce option.\n *\n * @since 3.5.0\n *\n * @param array $data\n *\/\npublic function update_page_option( $data ) {\n   update_option( $data['option_name'], $data['editor_post_id'] );\n}\n<\/pre>\n<p>The update_option function \u201cis supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren\u2019t validated and the function lacks a capability check to restrict its access to a high privileged user only,\u201d Bruandet explained. He continued:<\/p>\n<blockquote>\n<p>Elementor uses its own AJAX handler to manage most of its AJAX actions, including <code>pro_woocommerce_update_page_option<\/code>, with the global <code>elementor_ajax<\/code> action. It is located in the \u201celementor\/core\/common\/modules\/ajax\/module.php\u201d script of the free version (which is required to run Elementor Pro) :<\/p>\n<pre>\/**\n * Handle ajax request.\n *\n * Verify ajax nonce, and run all the registered actions for this request.\n *\n * Fired by `wp_ajax_elementor_ajax` action.\n *\n * @since 2.0.0\n * @access public\n *\/\npublic function handle_ajax_request() {\n   if ( ! $this->verify_request_nonce() ) {\n  \t$this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )\n     \t->send_error( Exceptions::UNAUTHORIZED );\n   }\n   ...\n<\/pre>\n<\/blockquote>\n<p>Anyone using Elementor Pro should ensure they\u2019re running 3.11.7 or later, as all previous versions are vulnerable. It\u2019s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/arstechnica.com\/?p=1928488\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Dan Goodin<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GOT UPDATES? \u2014 Elementor Pro fixed the vulnerability, but not everyone has installed the patch. Dan Goodin &#8211; Mar 31, 2023 10:40 pm UTC Getty Images Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said. The<\/p>\n","protected":false},"author":1,"featured_media":624341,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2757,183,46],"tags":[],"class_list":{"0":"post-624340","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-exploit","8":"category-hackers","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/624340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=624340"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/624340\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/624341"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=624340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=624340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=624340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}