Recently a high severity vulnerability was discovered in the popular Elementor Pro WordPress plugin.
If your WordPress based Website(s) is using this plugin you should immediately update to at least version 3.11.7 prior versions will potentially allow attackers to leverage this plugin when running aside WooCommerce to modify existing users, add new users, change site settings, and potentially perform a complete site takeover.
You can verify which version of Elementor Pro you are currently running by logging into your WordPress admin console, clicking plugins and finding Elementor Pro in the plugin list.
Elementor Pro is a premium version of the popular Elementor page builder plugin for WordPress. Elementor is a powerful drag-and-drop page builder that allows users to design and customize their website without the need to code.
Vulnerability Details
One feature of the premium version is the WooCommerce Builder which enables customization of product pages, categories and other related WooCommerce elements.
The WooCommerce builder integration is where this vulnerability stems from.
The file elementor-pro/modules/woocommerce/module.php in Elementor Pro prior to v3.11.7 has broken access control which allows the vulnerability to be exploited.
The most common exploit of this vulnerability is the attacker will redirect the website to a malicious website. However, we are seeing a large percentage of sites completely compromised and filled with additional malware.
As with any vulnerability, an initial exploitation of the vulnerability often leads to other bad actors leveraging files created or modified by other attackers to inject additional malware.
What should I do if I have an outdated version of Elementor Pro?
The Elementor team quickly made a patch for this vulnerability which is available inside your WordPress admin console under plugins.
Step 1: Login to your WordPress admin console by navigating to: https://yourwebsite.com/wp-admin
Step 2: Login with your admin email and password
Step 3: Click Plugins on the left-hand menu
Step 4: Find Elementor Pro in the plugin list
Step 5: Click the ‘update now’ link
Step 6: Once the update is complete, please confirm the version is at least 3.11.7
Additionally, you can login to Elementor’s website and follow the instructions for updating your plugin.
If your security provider conducts file code scans and has confirmed the absence of malware resulting from this vulnerability, after you have updated the plugin, you should be all set.
If you do find you still have Malware after updating the plugin it is crucial to seek assistance from a security professional to remove any remaining Malware and verify your site is Malware free.
It is important to note simply updating a plugin will most likely not fix malware issues you currently have but will help prevent them in the future.
How can I protect my site going forward?
Always ensure your plugins, themes and CMS are up to date with the latest version.
Malware typically stems from vulnerabilities present within the code of your web applications. While maintaining regular updates can increase the likelihood of having fewer or no vulnerabilities on your website, it does not guarantee complete protection due to the constant discovery of vulnerabilities.
However, prioritizing updating your web applications serves as an initial defense to ensure your website functions properly and helps maximize your website's security.
How can SiteLock Help?
Many WordPress attacks are avoidable, but it takes a lot of effort to protect your site. Don't go it alone; work with a trusted WordPress security solution to keep today's top cybersecurity threats at bay. Whether it's a brute force attack, backdoor intrusion, or malware infection, SiteLock can keep attackers at bay.
Check out our plans or reach out for more information.
If you have purchased SiteLock services through your hosting provider or a 3rd
party and need assistance, please reach out to your hosting or service provider and depending on your level of service may setup a ticket with SiteLock to have your website manually reviewed by a Security Professional.