Security researchers have uncovered a critical vulnerability in Elementor Pro, a popular WordPress plugin used by over 12 million websites, which could potentially allow hackers to take control of millions of websites. The vulnerability, rated 8.8 out of 10 in severity, was discovered by Jerome Bruandet of NinTechNet, who revealed that an attacker could exploit the flaw to create an administrator account, change the administrator email address, redirect traffic to a malicious website, and perform a range of other malicious activities.
The vulnerability affects Elementor Pro versions below 3.11.7, and researchers from PatchStack have confirmed that it is currently being exploited by hackers. Therefore, it is crucial for users of Elementor Pro to ensure that they have updated to the latest version and to examine their websites for signs of infection.
Elementor Pro is a widely used WordPress plugin that offers a range of features for creating high-quality websites, including WooCommerce. However, if certain conditions are met, including a user account on the site, a subscriber or customer can create new accounts with complete administrator privileges, making it a tempting target for hackers.
The discovery of this vulnerability underscores the importance of staying vigilant about website security and promptly applying patches and updates to software and plugins. It also highlights the risks of relying on popular software and plugins that may be more vulnerable to attack due to their widespread use.
Website owners should prioritize website security by regularly monitoring their website for signs of compromise, using strong passwords, and implementing two-factor authentication where possible.
Additionally, they should ensure that all software and plugins are kept up to date with the latest security patches and updates.In conclusion, the discovery of this critical vulnerability in Elementor Pro should serve as a reminder to all website owners to prioritize website security and take proactive measures to protect their websites from potential threats