The Hacker News reports that a high-severity flaw in the WordPress website builder plugin Elementor Pro continues to be exploited by unidentified threat actors.
Affecting versions 3.11.6 and older, the vulnerability is described as a broken access control flaw that when successfully exploited allows an attacker to take over a WordPress site with WooCommerce enabled. Malicious users are then able to re-enable the registration page if disabled, set the default user role to administrator, and create accounts with administrator privileges, according to a notice on Patchstack.
"After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site," according to the notice.
Patchstack added that the vulnerability is currently being exploited by users who are identified by various IP addresses and whose goal is to upload arbitrary PHP and ZIP archive files. The flaw was addressed in the 3.11.7 patch and Elementor Pro plugin users have been urged to update to that version or the latest 3.12.0 patch.
Vulnerabilities impacting cloud analytics and business intelligence software Qlik Sense have been exploited to facilitate the deployment of CACTUS ransomware in a new campaign, The Hacker News reports.
Vulnerability management: Finding and fixing fatal flaws
Reducing silos between Developers and AppSec in your Software Supply Chain with Snyk and ServiceNow
Vulnerability management: Finding and fixing your fatal flaws
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news