WordPress is one of the most popular content management systems used by millions of users across the world. Very recently, WordPress was in the news as hackers exploited a security bug in one of its plugins, Elementor Pro. This incident impacted almost 11 million websites across the world, compromising the data of millions of WordPress users across the globe.
The Elementor Pro plugin allows users to build impressive, professional-looking websites without requiring them to have knowledge of coding. Needless to say, a number of people out there have zero knowledge of coding but have built their websites successfully with the help of this plugin. As helpful as this plug-in is, we cannot deny that the security bug in it is a matter of grave concern. Let’s learn more about it.
The bug was discovered by NintechNet researcher Jerome Bruandet on 18th March 2023, who went ahead to release a writeup of the existence of this bug along with the different ways it can be exploited. “An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to “administrator,” change the administrator email address or, redirect all traffic to an external malicious website by changing the site URL among many other possibilities,” explained Bruandet in the writeup. In no time, the news of the mass hacking of websites came before the world.
The security bug in Elementor Pro left the access of websites open to authenticated users, allowing them to change administrator settings too. Even though the access was only to authenticated customers such as site managers or shop customers, it does leave the website open to the risk of complete takeover by a random third party as well. The websites of millions were left vulnerable to hackers, who were able to make changes in the WordPress database without proper authentication.
The bug gave access to attackers, who used the opportunity for personal gains. The hackers redirected users to malicious websites. They also exploited the bug to upload backdoors to the site they had just hacked. Via uploading backdoors, the hackers could gain access to additional files, which could result in hackers gaining full access to the hacked website. This could also give the opportunity to steal data or install malicious codes on the website. The security bug particularly impacted v3.11.6 as well as all the versions before it. It is important to note that the security bug could be exploited only if the WooCommerce plugin was being used simultaneously on the website.
As far as WordPress users are concerned, they were advised to upgrade their websites to the latest version (3.11.7 and then 3.12.0) immediately. Until the security bug issue was resolved entirely, upgradation was the only way to deal with the current threat from hackers, who launched the attacks from multiple IP addresses. Likewise, only those with the Elementor Pro version were at risk, and those using the free plugin have not been impacted by the security bug. Those using the Pro version of the plugin need to urgently upgrade their WordPress version, to avoid any potential threats from hackers. The latest versions of WordPress are adept enough to protect websites from not just the new security bug, but all online threats lurking around.