WordPress Elementor Plugin Remote Code Execution Vulnerability

A vulnerability was discovered in Elementor, starting with version 3.6.0, that allows an attacker to upload arbitrary code and stage a full site takeover. The flaw was introduced in a new “onboarding” wizard feature due to the lack of proper security policies.

Missing Capacity Check

The fault in the element was related to what is known as a capacity check.

Capability checks are a security layer that all plugin creators bind to in code. What the capability check does is to check what permission level any logged in user has.

For example, a person with a subscriber level permission may be able to submit comments on articles but they will not have the permission level that gives them access to the WordPress edit screen to publish posts to the site.

User roles can be admin, editor, customer, etc. Each level has user capabilities that are assigned to each user role.

When a plugin runs code, it is supposed to check whether the user has sufficient capacity to execute that code.

WordPress published a plugin handbook that specifically addresses this important security check.

The chapter is called User Capabilities Check And it explains what plugin makers need to know about such security checks.

The WordPress Handbook advises:

,User Capabilities Check

If your plugin allows users to submit data—whether on the admin or public side—it should test user capabilities.

…The most important step in building an efficient security layer is to have a user permission system. WordPress provides this in the form of user roles and capabilities.”

Elementor version 3.6.0 introduced a new module (the Onboarding Module) that failed to include the capabilities check.

So the problem with Elementor isn’t that the hackers were clever and found a way to do a full site takeover of Elementor-based websites.

The exploit in Elementor was due to a failure to use capability checks where they were supposed to.

According to the report published by Wordfence:

“Unfortunately no capability checks were used in vulnerable versions.

An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it.

Any code contained in the mock plugin will be executed, which can be used to take over the site or access additional resources on the server.

recommended Action

The vulnerability was introduced in Elementor version 3.6.0 and thus is not present in versions prior to that.

Wordfence recommends that Publisher update to version 3.6.

However, the official element changelog Indicates that version 3.6.4 fixes sanitization issues related to the affected Onboarding Wizard module.

So it’s probably a good idea to update to Elementor 3.6.

Elementor WordPress Plugin Changelog Screenshot

Elementor WordPress Plugin Changelog Screenshot


Read Wordfence report on Elementor vulnerability

Critical Remote Code Execution Vulnerability in Elementor

Source link

Leave a Comment