Critical Vulnerability in Elementor Plugin Affects Millions of WordPress Sites


A critical vulnerability addressed in the Elementor WordPress plugin could allow authenticated users to upload arbitrary files to affected websites, potentially leading to code execution.

Elementor is a drag and drop website builder for WordPress that has over 5 million installs.

Considered critical, the newly patched vulnerability was apparently introduced on March 22, in version 3.6.0 of the plugin. About a third of websites were running a vulnerable version when the bug was found.

Plugin Vulnerabilities researchers, who identified the flaw, say the problem exists because certain features failed to perform capability checks, becoming available to users who should not have had access to them.

[ READ: Critical Flaw Impacts WordPress Plugin With 1 Million Installations ]

Due to the vulnerability, any authenticated user, regardless of permission, could make changes to the site, including uploading arbitrary files.

Thus, the security flaw could be exploited to obtain code execution and potentially take complete control of the vulnerable site.

According to Patchstack researchers, the flaw resides in an “onboarding” module loaded with each request, which got hooked to the admin_init WordPress hook.

“This hook is triggered on any admin-related screen/script, but does not necessarily imply that it will only be triggered when a privileged user is logged into the site,” says WordPress security firm Patchstack. .

The faulty module performs a POST payload action after checking if it was sent with a valid nonce, but since the nonce token is sent to any authenticated user, it allows anyone to perform actions regardless his permission.

The issue was resolved with the release of Elementor version 3.6.3. WordPress admins are advised to update to a patched version of the plugin as soon as possible.

Related: Elementor Plugin Vulnerabilities Exploited to Hack WordPress Sites

Related: Vulnerability That Allows Full WordPress Site Takeover Exploited in the Wild

Related: Many WordPress Sites Affected by Vulnerabilities in ‘Popup Builder‘ Plugin

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:


Comments are closed.