Security Flaw in Popular WordPress Page Builder Plug-In ‘Elementor’
A recent technical flaw in one of the most popular website design and creation tools known as Elementor Pro was discovered and subsequently exploited by hackers, allowing them to re-set site administrator passwords and assume control of entire websites. The vulnerability applies to version V3.11.6 (+ previous) and places not only websites that directly utilize the tool at risk, but also any that may have the tool installed in an inactive or de-selected status as well.
Organizations that deal heavily in proprietary information (e.g. engineering, CPA and accounting firms) are understandably among some of the more ‘at risk’ organizations in terms of both the probability of being targeted for digital exploitation and the potential consequence associated with any successful security breaches. Many of these firms also rely heavily on third parties for the development and maintenance of their website and digital infrastructure. We therefore hope this content can serve as a useful brief reminder to all organizations to be proactive in working with those that you rely on for your web infrastructure to ensure that digital security is and remains a top priority.
What Can Happen
- Changes made to administrative settings
- Fake or false roles added to site content management system
- Fake plug-ins installed
- Re-directing website visitors to spam pages
Any or all of these can negatively impact both the security of the information stored within your website’s content management system as well as your company’s brand. For example, digital security firm Patchstack assesses that the security flaw allows an attacker to enable the registration page of any exposed website and to set the default user role to ‘administrator’. This is significant because it enables the attacker to then create a new user account that has administrative privileges, which then enables them to either redirect your organization’s website traffic to a malicious domain, or to add malicious code to your website that may compromise the security of any data falling within the footprint of your company’s website and background CMS data.
If your website is breached, a full site recovery is not guaranteed, will require technical resources to execute, and will very likely take multiple days to complete. In instances where backups are required to be used, any content posted or saved to the site after that backup date would very likely need to be added back manually.
Implications associated with a loss of control of secure or proprietary data will vary but can obviously be far reaching and severe.
Immediate Response
Action: If your website utilizes Elementor Pro, it is imperative that it be upgraded to version 3.11.7 or later immediately.
Since the flaw was originally discovered on March 18, 2023[1], WordPress has ‘force updated’ a plug-in associated with the breach (known as WooCommerce).
We strongly encourage all organizations to engage with those they rely on for website development, maintenance, and content management to discuss the status of their infrastructure and ensure that they are utilizing a robust strategy for not only protecting their content and data from this breach but also for monitoring for future vulnerabilities.
Whether you rely on in-house or third-party resources to manage your web infrastructure, meeting regularly to review the processes in place to protect your site and its data is time well spent.
For more expansive information concerning this breach, cyber security checklists and procedures specific to your organization, please contact us.
Read more: View the AICPA’s CPA cybersecurity checklist
[1] This vulnerability was discovered by NinTechNet researcher Jerome Bruandet on March 18, 2023 according to BleepingComputer writer Bill Toulas