Hackers Exploit Critical Elementor Vulnerability For Admin Access.

By <b>Evan Lipford</b>

By Evan Lipford

jenta tech hackers exploit critical elementor vulnerability elementor logo
Hackers exploit elementor thumbnails

11+ Million At Risk!

There has been a critical error found in the codebase for Elementor Pro, versions <=3.11.6, which is allowing hackers to gain full administrative control over websites that are running the software alongside Woocommerce. With Elementor Pro being the hottest page builder for the WordPress framework with over 11.07 million active installations (as of April of last year), paired with the fact that this vulnerability is found in every version of Elementor before version 3.11.7, this is a massive vulnerability that has the potential to impact millions of businesses.

It is important to note that this vulnerability is only found in the pro version, although those running the free version should also update as soon as possible.

The team at Elementor responded quickly with only 96 hours passing from the time that the vulnerability was discovered to the release of version 3.11.7, which patches the exploit entirely.

Thankfully, this exploit was discovered by security researcher Jerome Bruandet over at NinTechNet, but unfortunately researchers at PatchStack have verified that the vulnerability is actively being exploited by a variety of IP addresses, including but not limited to the following IPs:

  • 193.169.194.63
  • 193.169.195.64
  • 194.135.30.6

If you are going to jump into your host server to audit your files, compromised websites are containing files with these names:

  • wp-resortpack.zip
  • wp-rate.php
  • lll.zip

Let’s take a look at how the vulnerability was able to be exploited by attackers with an excerpt from the original analysis:

When Elementor Pro is installed on a site that has WooCommerce activated, it loads its “elementor-pro/modules/woocommerce/module.php” component, which registers a couple of AJAX actions:

				
					/**
 * Register Ajax Actions.
 *
 * Registers ajax action used by the Editor js.
 *
 * @since 3.5.0
 *
 * @param Ajax $ajax
 */
public function register_ajax_actions( Ajax $ajax ) {
   // `woocommerce_update_page_option` is called in the editor save-show-modal.js.
   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );
   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );
}
				
			

One of them is pro_woocommerce_update_page_option, which is used by Elementor’s built-in editor. It calls update_option, a function that can be used to modify WordPress options in the database, with two user-submitted input:

				
					/**
 * Update Page Option.
 *
 * Ajax action can be used to update any WooCommerce option.
 *
 * @since 3.5.0
 *
 * @param array $data
 */
public function update_page_option( $data ) {
   update_option( $data['option_name'], $data['editor_post_id'] );
}
				
			

This function is supposed to allow the Administrator or the Shop Manager to update some specific WooCommercerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only.

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :

				
					/**
 * Handle ajax request.
 *
 * Verify ajax nonce, and run all the registered actions for this request.
 *
 * Fired by `wp_ajax_elementor_ajax` action.
 *
 * @since 2.0.0
 * @access public
 */
public function handle_ajax_request() {
   if ( ! $this->verify_request_nonce() ) {
      $this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )
         ->send_error( Exceptions::UNAUTHORIZED );
   }
   ...
				
			

We can see that it includes a nonce check that could potentially prevent bad actors from exploiting the vulnerability. But the nonce and all JS code related to it is loaded via the admin_enqueue_scripts hook in “elementor/core/common/app.php”:

				
					add_action( 'admin_enqueue_scripts', [ $this, 'register_scripts' ] );
				
			

It therefore leaks in the source of the page to all logged in users:

jenta tech hackers exploit critical elementor vulnerability

An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

				
					MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';
+-----------+-------------+------------------+----------+
| option_id | option_name | option_value     | autoload |
+-----------+-------------+------------------+----------+
|         1 | siteurl     | https://evil.com | yes      |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)
				
			

Because the vulnerable component requires WooCommerce to be installed, an unauthenticated user can create a WooCommerce customer account, log in and exploit the vulnerability too (WooCommerce customers can access the back-end by adding wc-ajax=1 to the query, e.g., https://example.com/wp-admin/?wc-ajax=1).

Analysis Performed by Jerome Bruandet

What To Do Next .

If you are running Elementor, update to version 3.11.7 or newer as quickly as possible. The update was released on March 22, 2023, and is available world wide.

In addition to your update, we recommend that you audit your website for new user accounts, as well as checking for the file names that we mentioned above. It is also wise to audit your logs to see if there has been any activity from the IP addresses that are exploiting this vulnerability.

If you need IT Support in Colorado Springs to assist you with your audit, we would be happy to help here at Jenta Tech.

Search