The Hacker News reports that a high-severity flaw in the WordPress website builder plugin Elementor Pro continues to be exploited by unidentified threat actors.
Affecting versions 3.11.6 and older, the vulnerability is described as a broken access control flaw that when successfully exploited allows an attacker to take over a WordPress site with WooCommerce enabled. Malicious users are then able to re-enable the registration page if disabled, set the default user role to administrator, and create accounts with administrator privileges, according to a notice on Patchstack.
"After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site," according to the notice.
Patchstack added that the vulnerability is currently being exploited by users who are identified by various IP addresses and whose goal is to upload arbitrary PHP and ZIP archive files. The flaw was addressed in the 3.11.7 patch and Elementor Pro plugin users have been urged to update to that version or the latest 3.12.0 patch.
Organizations using Progress Software's enterprise-grade WS_FTP Server secure file transfer software have been urged to immediately remediate a maximum severity vulnerability, which has been fixed along with other bugs as part of a security update, reports BleepingComputer.
SiliconAngle reports that more companies have been conducting purple team cybersecurity threat evaluations, with security penetration testing firm SpecterOps being the latest to create a collaboration between its offensive and defensive cybersecurity teams in testing and defending corporate systems.