Cybercriminals are taking advantage of a critical vulnerability in the Elementor Pro plugin used with WordPress, granting them the ability to seize control of sites that utilize WooCommerce. The security flaw, identified by cybersecurity experts Jerome Bruandet from NinTechNet, permits assailants to run any code they choose on the affected system.
According to Jerome’s blog, the flaw is being actively exploited in the wild, with millions of sites at risk. The ElementorPro plugin is a popular tool used by website developers to create custom designs and layouts for WordPress sites. It is estimated that over 12 million sites use the plugin, making it a prime target for cybercriminals. The vulnerability is caused by a lack of input validation in the plugin’s code, which allows attackers to inject malicious code into the target system. Once the code is executed, the attacker can take control of the site and perform a range of malicious activities, including stealing sensitive data, installing malware, and launching DDoS attacks.
Security experts urge WordPress site owners to update their ElementorPro plugins to the latest version as soon as possible. They also recommend implementing additional security measures, such as using a web application firewall (WAF) and enabling DNS over HTTPS (DoH) to protect against DNS-based attacks. The
ElementorPro vulnerability is just the latest in a string of high-profile attacks targeting WordPress sites. In recent years, cybercriminals have exploited a range of vulnerabilities in WordPress plugins and themes to gain access to sensitive data and launch attacks. As such, site owners must remain vigilant and proactively protect their sites from cyber threats.