Flaw in Elementor Pro plugin poses risk of website takeover

The Hacker News reports that a high-severity flaw in the WordPress website builder plugin Elementor Pro continues to be exploited by unidentified threat actors. Affecting versions 3.11.6 and older, the vulnerability is described as a broken access control flaw that when successfully exploited allows an attacker to take over a WordPress site with WooCommerce enabled. Malicious users are then able to re-enable the registration page if disabled, set the default user role to administrator, and create accounts with administrator privileges, according to a notice on Patchstack. "After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site," according to the notice. Patchstack added that the vulnerability is currently being exploited by users who are identified by various IP addresses and whose goal is to upload arbitrary PHP and ZIP archive files. The flaw was addressed in the 3.11.7 patch and Elementor Pro plugin users have been urged to update to that version or the latest 3.12.0 patch.