• Resolved rodentooth


    Yesterday at 23:08 I received an email from my wordpress “Admin Email Changed”: “[…]The new admin email address is ad@example.com.[…]”

    Right after that, a new user registered, cryptic username “wpnew_kmyjzvfyoflv” This username had admin role!

    Today in the morning when I realized, I checked, in the settings was “Anyone can register” checked and standard userrole is Administrator. I fixed it and went ahead to the Apache Access logs. There I saw that before yesterday 23:08, all requests to “wp-login.php?action=register” were redirected to “registration=disabled”. Through this hint I think I can be sure that this setting was correct until the next two minutes. Log that shows such a redirect:

    [IPADDR] – – [29/Mar/2023:23:06:16 +0200] “GET /wp-login.php?registration=disabled HTTP/1.1” 200 3971 “https://[domainname]/wp-login.php?action=register” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36”

    From the access log I can only see that there were some admin-ajax post requests from the suspicious IP-Address at the time of the changes: POST /wp-admin/admin-ajax.php?action=elementor_ajax&_nonce=4c7b406e82

    After these post requests, the new user registred. I did not receive a “new user login” because the Administrator email was changed to “ad@example.com”

    How can I dig deeper into what caused this? I think Apache access logs do not store the post request data, sadly. Does anyone have an idea for me to expand my search?
    Please feel free to request more data if it would help to give some hints.

    I conducted the “FAQ My site was hacked” page and already begun to take measurements. However, I am not sure if I should load a backup from yesterday before 23:00.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The parameter value “elementor_ajax” indicates that you have Elementor and if that was the causing request, then the plugin could have been the gateway. Do you have all plugins up to date?

    Regardless, I would advise you to delete everything. Files as well as database. And then restore the project from a backup. After the restore, of course, bring everything up to date and change the access data.

    Alternatively, you can also use tools like https://wordpress.org/plugins/wordfence/ to find and fix possible further infections.

    Thread Starter rodentooth


    Thanks. Your information helped me. This vulnerability is actually already reported and fixed.

    “Elementor Pro, a popular page builder plugin for WordPress, fixed a broken access control vulnerability affecting versions <=3.11.6 that could allow full site takeover.”


Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Anyone can register + Standard Admin Role activated’ is closed to new replies.