ALERT: Update WordPress Elementor Pro Plugin for Vulnerability

Monday, April 3, 2023

This message was sent to U-M IT groups on Monday, 4/3/23. It is intended for U-M IT staff who are responsible for university websites that use the WordPress Elementor Pro Plugin.

Summary

A vulnerability in Elementor Pro, a widely used WordPress plugin, is actively being exploited by threat actors. Apply the latest updates to Elementor Pro immediately after appropriate testing.

Problem

If a vulnerable version of Elementor Pro is used in combination with WooCommerce, a separate WordPress plugin, to create a WordPress website, any user with an account on the site (subscriber or customer) can create a new account with full admin access.

Threats

The vulnerability is being actively exploited in the wild.

Affected Versions

Any version of Elementor Pro prior to 3.11.7.

Action Items

Update to the latest version of the Elementor Pro plugin immediately after appropriate testing, or disable or remove the plugin if it is not currently needed.

Technical Details

According to Jerome Bruandet, a researcher with security firm NinTechNet, “An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator,” change the administrator email address (admin_email), or redirect all traffic to an external malicious website by changing siteurl among many other possibilities.”

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

Units have primary responsibility for the identification of their vulnerable sites. They should look to confirm whether or not they use and have updated the Elementor Pro plugin. The ITS Web Hosting team is also scanning ITS-hosted sites for the use of the vulnerable plugin. When possible ITS Web Hosting team will notify customers, provided they have accurate contact information.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.