Elementor Pro, a WordPress tool used by over 11 million websites, is being exploited by threat actors.
The security bug allows authorised users like shop customers or site admins to alter site settings, including administrator settings, risking website takeover.
Due to failed WooCommerce module access control, attackers could change WordPress database options without validation.
NinTechNet, a cybersecurity firm, blogged that the vulnerability was found in March 2023.
Attackers used the security bug to reroute users to malicious webpages or post backdoors to the breached site.
These backdoors may allow attackers to send more data to compromised sites. These files could let intruders take over WordPress and steal data or install malware.
Elementor Pro users should update their webpages immediately, but the free version was not impacted by the flaw.
Swipe up for more Amazing Technology updates