Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';
+-----------+-------------+------------------+----------+
| option_id | option_name | option_value     | autoload |
+-----------+-------------+------------------+----------+
|		 1 | siteurl     | https://evil.com | yes 	 |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)

Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:

• 193.169.194.63
• 193.169.195.64
• 194.135.30.6

Files uploaded to compromised sites often have the following names:

• wp-resortpack.zip
• wp-rate.php
• lll.zip

URLs of compromised sites are often being changed to:

• away[dot]trackersline[dot]com

The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component. When WooCommerce is running, this script registers the following AJAX actions:

/**
 * Register Ajax Actions.
 *
 * Registers ajax action used by the Editor js.
 *
 * @since 3.5.0
 *
 * @param Ajax $ajax
 */
public function register_ajax_actions( Ajax $ajax ) {
   // `woocommerce_update_page_option` is called in the editor save-show-modal.js.
   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );
   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );
}

and

/**
 * Update Page Option.
 *
 * Ajax action can be used to update any WooCommerce option.
 *
 * @since 3.5.0
 *
 * @param array $data
 */
public function update_page_option( $data ) {
   update_option( $data['option_name'], $data['editor_post_id'] );
}

The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained. He continued:

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :

/**
 * Handle ajax request.
 *
 * Verify ajax nonce, and run all the registered actions for this request.
 *
 * Fired by `wp_ajax_elementor_ajax` action.
 *
 * @since 2.0.0
 * @access public
 */
public function handle_ajax_request() {
   if ( ! $this->verify_request_nonce() ) {
  	$this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )
     	->send_error( Exceptions::UNAUTHORIZED );
   }
   ...

Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable. It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.

As soon as Lars Ruiter steps out of his car, he is confronted by a Microsoft security guard, who is already seething with anger. Ruiter, a local councillor, has parked in the rain outside a half-finished Microsoft data center that rises out of the flat North Holland farmland. He wants to see the construction site. The guard, who recognizes Ruiter from a previous visit when he brought a TV crew here, says that’s not allowed. Within minutes, the argument has escalated, and the guard has his hand around Ruiter’s throat.

The security guard lets go of Ruiter within a few seconds, and the councillor escapes with a red mark across his neck. Back in his car, Ruiter insists he’s fine. But his hands shake when he tries to change gears. He says the altercation—which he will later report to the police—shows the fog of secrecy that surrounds the Netherlands’ expanding data center business.

“We regret an interaction that took place outside our data center campus, apparently involving one of Microsoft’s subcontractors,” says Craig Cincotta, general manager at Microsoft, adding that the company would cooperate with the authorities.

The heated exchange between Ruiter and Microsoft’s security guard shows how contentious Big Tech’s data centers have become in rural parts of the Netherlands. As the Dutch government sets strict environmental targets to cut emissions, industries are being forced to compete for space on Dutch farmland—pitting big tech against the increasingly political population of Dutch farmers.

There are around 200 data centers in the Netherlands, most of them renting out server space to several different companies. But since 2015, the country has also witnessed the arrival of enormous “hyperscalers,” buildings that generally span at least 10,000 square feet and are set up to service a single (usually American) tech giant. Lured here by the convergence of European internet cables, temperate climates, and an abundance of green energy, Microsoft and Google have built hyperscalers; Meta has tried and failed.

Against the backdrop of an intensifying Dutch nitrogen crisis, building these hyperscalers is becoming more controversial. Nitrogen, produced by cars, agriculture, and heavy machinery used in construction, can be a dangerous pollutant, damaging ecosystems and endangering people’s health. The Netherlands produces four times more nitrogen than the average across the EU. The Dutch government has pledged to halve emissions by 2030, partly by persuading farmers to reduce their livestock herds or leave the industry altogether. Farmers have responded with protests, blockading roads with tractors and manure and dumping slurry outside the nature minister’s home.

The courts have also halted thousands of building projects—forcing construction jobs like Microsoft’s to apply for permits proving they would not make the nitrogen crisis worse.

However, Microsoft’s newest data center has yet to receive those permits. The local environment agency told WIRED it is still assessing the company’s paperwork. In a system where farmers and house developers’ projects have stalled as they wait for nitrogen permits, there’s a sense that Microsoft has jumped the queue. “They don’t have the right permission to build,” says Ruiter, who represents the municipality of Hollands Kroon. To him, it is a double standard to let Microsoft keep building while other construction work has been put on hold. “When farmers don’t have the permission to build a farm, they will not build the farm. Microsoft doesn’t have the right permission to build a data center, but they already got started building the data center.”

Amid this past week’s controversies in AI over regulation, fears of world-ending doom, and job disruption, the clouds have briefly parted. For a brief and shining moment, we can enjoy an absolutely ridiculous AI-generated video of Will Smith eating spaghetti that is now lighting up our lives with its terrible glory.

On Monday, a Reddit user named “chaindrop” shared the AI-generated video on the r/StableDiffusion subreddit. It quickly spread to other forms of social media and inspired mixed ruminations in the press. For example, Vice said the video will “haunt you for the rest of your life,” while the AV Club called it the “natural end point for AI development.”

We’re somewhere in between. The 20-second silent video consists of 10 independently generated two-second segments stitched together. Each one shows different angles of a simulated Will Smith (at one point, even two Will Smiths) ravenously gobbling up spaghetti. It’s entirely computer-generated, thanks to AI.

And you will see it now:

We know what you’re thinking: “Didn’t I see this kind of advanced deepfake technology in 1987‘s The Running Man?” No, that was Jesse “The Body” Ventura defeating a fake Arnold Schwarzenegger in a dystopic game show cage match, set somewhere between 2017 and 2019. Here in 2023, we have fake Will Smith eating spaghetti.

This feat is possible due to a new open source AI tool called ModelScope, released a few weeks ago by DAMO Vision Intelligence Lab, a research division of Alibaba. ModelScope is a “text2video” diffusion model that has been trained to create new videos from prompts by analyzing millions of images and thousands of videos scraped into the LAION5B, ImageNet, and Webvid datasets. That includes videos from Shutterstock, hence the ghostly “Shutterstock” watermark on its output.

AI community HuggingFace currently hosts an online demo of ModelScope, although it requires an account, and you’ll need to pay for compute time to run it. We tried to use it but it was overloaded, likely due to Smith’s spaghetti mania.

According to chaindrop, the workflow for creating the video was fairly simple: give ModelScope the prompt “Will Smith eating spaghetti” and generate it at 24 frames per second (FPS). Next, chaindrop used the Flowframes interpolation tool to increase the FPS from 24 to 48, then slowed it down to half speed, resulting in a smoother video.

Of course, ModelScope isn’t the only game in town regarding the emerging field of text2video. Recently, Runway debuted “Gen-2,” and we’ve previously covered early text2video research projects from Meta and Google.

Since Will Smith eating spaghetti became a viral hit, the Internet has been graced with follow-ups such as Scarlett Johansson and Joe Biden eating spaghetti. There’s even Smith eating meatballs, a video that is perhaps actually truly horrifying. But it’s still great somehow—perfect future meme fodder.

Of course, once the outputs of these text2video tools get too realistic, we’ll have other issues to deal with—deep social and cultural issues, likely. But for now, let’s enjoy ModelScope’s imperfect, horrible glory. We apologize in advance.