As of May 2023, an official CVE designation is still pending for a vulnerability in Elementor Pro that allows authenticated users (e.g., standard e-commerce customers) to gain total control of websites running Elementor Pro 3.11.6 or earlier, alongside an activated WooCommerce plugin.
This vulnerability is a case of Broken Access Control, which is the most severe of OWASP’s Top 10 risks. It is caused by a missing capability check on the update_page_option function in Elementor Pro. This allows authenticated users with subscriber-level capabilities to update arbitrary site options, which can lead to privilege escalation.
Wordfence has blocked 82 attacks targeting this vulnerability in the past 24 hours.
To mitigate this vulnerability, users should upgrade Elementor Pro to at least version 3.11.7.
Other WordPress Plugins
In addition to the Elementor Pro vulnerability, there are a number of other WordPress plugins that are also vulnerable to Broken Access Control. These include:
- Contact Form 7
- Gravity Forms
- Yoast SEO
Users of these plugins should also upgrade to the latest versions to mitigate the risk of attack.
How to Stay Safe
The best way to stay safe from these types of vulnerabilities is to keep your WordPress plugins up to date. You can also use a security plugin like Wordfence to help block attacks.
Here are some additional tips for staying safe:
- Use strong passwords and two-factor authentication.
- Be careful about what plugins you install. Only install plugins from trusted sources.
- Keep your WordPress software up to date.
- Back up your website regularly.
By following these tips, you can help protect your website from attack.