Hackers Target Vulnerable Wordpress Elementor Plugin After PoC Released

Cyber Security Threat Summary:
“Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites. The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin's version 5.7.2” (Bleeping Computer, 2023).

This week, researchers released a proof-of-concept (PoC) exploit for the vulnerability on GitHub, meaning attackers will more readily take advantage of the exploit in attacks. BleepingComputer has received reports from various readers that their websites have been hit by hackers resetting the admin password by leveraging the flaw.

Security Officer Comments:
Elementor is a very popular WordPress plugin. In the past, WordPress has forced automatic updates for critical vulnerabilities in popular plugins, it is still unclear if they will push updates for this. Users of Wordfence's free security package will be covered by protection against CVE-2023-32243 on June 20, 2023, so they're currently exposed too. This may however be much too late with the amount of reported active scanning.

“A Wordfence report published yesterday sheds more light, with the company claiming to observe millions of probing attempts for the presence of the plugin on websites and has blocked at least 6,900 exploitation attempts. On the day after the disclosure of the flaw, WordFence recorded 5,000,000 probing scans looking for the plugin's 'readme.txt' file, which contains the plugin's version information, and hence determines if a site is vulnerable” (Bleeping Computer, 2023). Attackers are actively looking for vulnerable websites, Most of these requests came from just two IP addresses, 185[.]496[.]220[.]26 and 185[.]244[.]175[.]65. As for the exploitation attempts, the IP address 78[.]128[.]60[.]112 had a considerable volume, utilizing the PoC exploit released on GitHub. Other high-ranking attacking IPs count between 100 and 500 attempts.

If attackers takeover a website, they could gain access to sensitive data, but more critically, could add malicious URL and downloads to existing pages, which could impact users and cause damage to an organizations reputation.

Suggested Correction(s):
Website owners using the 'Essential Addons for Elementor' plugin are advised to apply the available security update by installing version 5.7.2 or later immediately. "Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability," advises Wordfence.

Additionally, website administrators should use the indicators of compromise listed on Wordfence's report and add the offending IP addresses to a blocklist to stop these and future attacks.

Source: https://www.bleepingcomputer.com/