Millions of WordPress sites at risk thanks to ‘Elementor Pro’ vulnerability.

Apr 03 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s the Stormy Daniels to cybercrime’s Donald Trump.

Today’s hottest cyber security stories:

  • Millions of WordPress sites at risk thanks to ‘Elementor Pro’ vulnerability
  • Is the NHS and military under cyber-siege? All Capita supported systems are DOA
  • Treasury offers plumber’s salary for ‘Head of Cyber security’ role. On your bike, Gov!

ELEMENTOR, MY DEAR WORDPRESS!

Get Sherlock Holmes on the case because this one’s a doozy. If you’re anything like us, you may not have heard of ‘Elementor Pro’. But the fact is the premium WordPress website builder plugin is estimated to be used on more than 12 million sites.

The good news is the ‘broken access control’ issue has recently been patched by the Tel Aviv-based company who, to be fair, acted swifty in dealing with the problem. Sorry Holmes, they beat you to it. Maybe it’s time to cut back on the gear, eh son?

Don’t relax just yet though as the bad news is that many millions of websites will no-doubt still be running the affected versions of Elementor Pro and, as such, need to update ASAP. We’re not kidding! You are at risk! Woah, *Norton Antivirus flashback*… No, I don’t want to renew my subscription! Ahhh! Sorry.

So, the affected versions of the popular WordPress plugin are:

3.11.6 and earlier

And it was addressed by the plugin maintainers in:

Version 3.11.7 released on March 22.

So, get updating people! The threat actors are in a state of frenzy, and they won’t stop ‘till they get enough! Shamone.

Let’s get serious for a second. What actually happened was a flurry of successful exploitations of the high-severity flaw which allows an authenticated attacker to completely takeover a WordPress site that has WooCommerce Elementor enabled. Scary stuff!

Patchstack said in an alert on March 30, 2023: “This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges,”

“After this, they are likely to either redirect the site to another malicious domain or upload a malicious plugin or backdoor to further exploit the site.”

NinTechNet security researcher Jerome Bruandet is the hero who discovered and reported the vulnerability on March 18, 2023.

Here’s to you, Jerome! 🍻

CAPITA-L COCK UP!

The big question on everybody’s lips (within the cybersphere, at least!) was ‘did Capita get hacked?’. It’s the age-old question did it fall or was it pushed? And the longer the silence persists, the more we lean to the latter.

Companies have a tendency of clamming up when in the midst of a cyber-standoff (especially when it’s ransomware!) and who could blame them? It’s a hellish game of chess with millions at stake – not to mention reputation!

DISCLAIMER!

Please be aware we are merely speculating, and, at time of writing, it is not clear why Capita systems went down on Friday.

For context, Capita is a major outsourcing company that has contracts with the NHS, the military, and countless other largescale organisations. So yeah, they’re kind of a big deal.

Capita said in a statement released on Friday: “Following a technical problem which has affected access to some of our services today, we can confirm that we have identified an IT issue that is primarily impacting our internal systems.

Sure, that’s what they all say, right? However, the government has a habit of cheap-ing out on infrastructure so maybe this is just a monumental screwup on Capita’s part with no foul play at all. Although, we doubt it.

A spokesperson added: “We would like to reassure any customers whose services have been affected that we are making good progress and working closely with our technical partners to swiftly resolve the issues.”

A Capita insider said: “The reality is that we’ve had no access to anything related to Capita’s Azure Directory (AD) or Azure Active Directory, which includes VPN and all Microsoft 365 and Azure services.

Hmm, sounds pretty bad. And that’s not all our inside man (or woman!) had to say…

He (or she!) continues: “The company is essentially at a standstill although I’m guessing that they’re gathering forensic data prior to restoring AD. There are rumours of an offshore employee clicking on a JavaScript-infected email, but that is exactly that. Rumor and conjecture. No one outside of the Red Team has any real knowledge – which is probably how it should be.”

Hopefully we’ll get an update soon otherwise the NHS could end up flatlining.

Kidding aside, lives could be at stake if this means communications remain severely impacted at the NHS so Godspeed guys!

Watch this space for updates on Capita SYSTEM DOWN.

UK GOVERNMENT: WE CHEAP OUT ON CYBERSECURITY.

CYBER-CRIMINALS: GOOD TO KNOW!

Geez, when will the government learn? You buy cheap; you buy twice! Here they are advertising for a ‘Head of Cyber Security’ role on the Treasury website and they’re offering 50k a year.

The above is a better advertisment to cybercriminals looking to target the UK than it is for cyber security workers looking for their next role…

Don’t get us wrong! 50k is certainly not to be sniffed at but when we’re talking about a Head of Cyber Security for the UK, you should really be looking at double that. AT LEAST!

In fact, according to job site Glassdoor, the average salary for the position in the private sector is around £130,000 per year.

Believe it or not they were paying more for the role in 2019, you can read about that here.

Maybe the expenses will make up for it, eh? Or is that just MPs, not civil servants? Who knows.

See below tweet from well known cybersecurity trainer Taz Wake:

So long and thanks for reading all the phish!

Recent articles