--- title: "Critical RCE Vulnerability in Elementor WordPress Plugin: Update to Elementor 3.6.4 now!!" date: 2022-04-15 author: "Shiv" featured_image: "https://malcure.com/wp-content/uploads/2022/04/elementor-36-vulnerability.jpg" categories: - name: "News" url: "/blog/news.md" --- # Critical RCE Vulnerability in Elementor WordPress Plugin: Update to Elementor 3.6.4 now!! ![RCE Vulnerability in Elementor Plugin](https://malcure.com/wp-content/uploads/2022/04/elementor-36-vulnerability.jpg)The [Elementor Website Builder plugin for WordPress](https://wordpress.org/plugins/elementor/) introduced an **Onboarding module** in version 3.6.0 to simplify the initial setup of the plugin. This feature resulted in a vulnerability that allows an attacker to upload arbitrary code leading to a full site takeover. The exploit in the plugin was due to a **failure to use capability checks** where they were supposed to. ## Elementor Vulnerability Details **Description:** Insufficient Access Control leading to Subscriber+ Remote Code Execution **Security Risk:** High **Exploitation Level:** Easy **Affected Versions:** 3.6.0 – 3.6.2 **CVE ID:** CVE-2022-1329 **CVSS Score:** 9.9(Critical) **Fully Patched Version:** 3.6.3 The disclosure process was initiated by Wordfence Threat Intelligence team on March 29, 2022 and reported that this critical vulnerability leverages a lack of capability checks found in vulnerable versions of the plugin. Due to this attackers can upload malicious code as a fake plugin archive file and use the vulnerable `upload_and_install_pro` action to execute their payload in the compromised environment. By exploiting this vulnerability, attackers can easily take over the site or access resources on the web server. ## Report Published by Wordfence **Excerpts from the report published by Wordfence:** > Unfortunately no capability checks were used in the vulnerable versions. > > An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it. > > Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server. **Source:** [Critical Remote Code Execution Vulnerability in Elementor](https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/) ## **Recommended Action** The vulnerability was introduced in Elementor version 3.6.0 and Wordfence recommends that the exploit was fully patched in version 3.6.3. However, the official [Elementor Changelog](https://wordpress.org/plugins/elementor/#developers) states that version 3.6.4 fixes sanitization issues related to the affected Onboarding wizard module. So it’s better to immediately update to Elementor 3.6.4. **Changelog**3.6.4 – 2022-04-13 Fix: Optimized controls sanitization to enforce better security policies in Onboarding wizard **Important Note:** We strongly recommended to: - Review all the user accounts; especially the administrator users in your WordPress dashboard and remove the suspected ones. Change the passwords for all the administrator accounts. - If you are running an e-commerce or membership site, do change WordPress salts and request all your users to update their passwords. - Run a complete website scan using our [malware scanner](https://wordpress.org/plugins/wp-malware-removal) to make sure there are no signs of infection.