ALERT: Update WordPress Elementor Pro Plugin for Vulnerability
Monday, April 3, 2023
This message was sent to U-M IT groups on Monday, 4/3/23. It is intended for U-M IT staff who are responsible for university websites that use the WordPress Elementor Pro Plugin.
A vulnerability in Elementor Pro, a widely used WordPress plugin, is actively being exploited by threat actors. Apply the latest updates to Elementor Pro immediately after appropriate testing.
If a vulnerable version of Elementor Pro is used in combination with WooCommerce, a separate WordPress plugin, to create a WordPress website, any user with an account on the site (subscriber or customer) can create a new account with full admin access.
Any version of Elementor Pro prior to 3.11.7.
Update to the latest version of the Elementor Pro plugin immediately after appropriate testing, or disable or remove the plugin if it is not currently needed.
The vulnerability is being actively exploited in the wild.
According to Jerome Bruandet, a researcher with security firm NinTechNet, “An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator,” change the administrator email address (admin_email), or redirect all traffic to an external malicious website by changing siteurl among many other possibilities.”
How We Protect U-M
ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.
Information for Users
Units have primary responsibility for the identification of their vulnerable sites. They should look to confirm whether or not they use and have updated the Elementor Pro plugin. The ITS Web Hosting team is also scanning ITS-hosted sites for the use of the vulnerable plugin. When possible ITS Web Hosting team will notify customers, provided they have accurate contact information.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
- Critical Elementor Pro Vulnerability Exploited (patchstack, 3/30/23)
- Hackers exploit WordPress plugin flaw that gives full control of millions of sites (Ars Technica, 3/31/23)
- Hackers Exploiting WordPress Elementor Pro Vulnerability: Millions of Sites at Risk! (The Hacker News, 4/1/23)