The Possible Risks of Elementor Pro's Security Flaw
Elementor Pro's security flaw allows authenticated users to set up an administrator account. Unfortunately, that means unauthorized people can take over the site and perform malicious acts. For example, they can enable the registration page, switch their role to administrator, and gain various privileges.
Threat actors are using the flaw to divert traffic to a malicious website. This vulnerability exists because of faulty access control on Elementor Pro's WooCommerce module. Cybersecurity company NinTechNet was the first to uncover the vulnerability in March 2023.
According to PatchSack, threat actors use the flaw for backdoor attacks. They upload malicious content to compromised sites such as wp-rate.php, III.zip, and wp-resortpack.zip. The WordPress security firm says it sees attacks from several IP addresses.
It is not Elementor Pro's first high-severity security issue. In April 2022, cybersecurity researchers at Wordfence identified a flaw that lets authenticated users transfer arbitrary PHP code. It was a new Onboarding module that opened the vulnerability.
Elementor Pro Users Should Upgrade to the Latest Version
Elementor Pro's current security flaw has a vulnerability rating of 8.8 out of 10. That earns it a critical status. Older versions of the plug-in are at greater risk for malicious attempts. Users should upgrade to Elementor Pro 3.11.7 or later as soon as possible to mitigate risks. The improved security code provides better protection of user data against hackers.
Protect Your Website from Cybersecurity Threats
Business owners must be vigilant about the platforms they use for their online operations. The Elementor Pro security issue proves that even a seemingly harmless plug-in can be the gateway to malicious attacks. Do research before using any software and check for past security lapses.
Also, always upgrade to the latest versions to ensure maximum protection for your data.
Lastly, have security measures in place to mitigate risks. That includes creating data backups, installing firewalls, and using strong passwords. Business owners must also conduct regular cybersecurity training for their employees.