April 2, 2023

Critical WordPress “Elementor” Plugin Site-Takeover Vulnerability

‘Elementor’ has released patch for a critical vulnerability, affecting the ‘Elementor’ WordPress page builder plugin.

Successful exploitation can allow an unauthenticated attacker to impersonate an administrator and completely take over a website without requiring any user interaction or social engineering.

The Vulnerability

• Authentication bypass and privilege escalation vulnerability in the WooCommerce plugin module used by the Elemntor plugin, which enabled unauthenticated attackers to impersonate any user on the website and then be used to gain full access to the site’s administrator account.

Affected Products

WordPress Elementor Plugin Versions 3.11.6 and below

Mitigation

CYREBRO recommends updating to the latest plugin version – 3.12.0  as soon as possible.

References: Elementor Advisory