Elementor Pro is a famous plugin which is running on more than 11 million WordPress sites at the moment. This plugin allows developers to create exquisite websites, enabling a handful of features. In a shocking revelation, it has been discovered that there is an extremely critical vulnerability in Elementor Pro which allows perpetrators to gain complete control of any WordPress site using this extension.
As per the sources, this vulnerability was first discovered by a NinTechNet researcher named Jerome Bruandet. Meanwhile, other researchers have also highlighted the fact that this vulnerability is currently under exploitation from attackers with compromised files uploaded to several websites.
About the issue itself, the said vulnerability is the result of a broken access control on the WooCommerce plugin module. This vulnerability allows unauthorized users to modify the WordPress database with serious consequences. Bruandet revealed in his blog that this flaw allows any authenticated or unauthorized person to leverage the vulnerability and create an administrator account to elevate privileges. In order for this vulnerability to be exploited, a combination of Elementor Pro and and WooCommerce plugins must be installed on the WordPress site.
Acknowledging the presence of this lethal vulnerability, the developer of Elementor acted swiftly and released a patch in the version 3.11.7 to counter the threat. But the problem is far from over.
Not all users and developers have upgraded their WordPress sites and any website using an Elementor version 3.11.6 or lower has a potentially dangerous flaw that can be exploited by hackers with catastrophic outcomes.