The Elementor Website Builder plugin for WordPress introduced an Onboarding module in version 3.6.0 to simplify the initial setup of the plugin. This feature resulted in a vulnerability that allows an attacker to upload arbitrary code leading to a full site takeover. The exploit in the plugin was due to a failure to use capability checks where they were supposed to.
Security Risk: High
Exploitation Level: Easy
Affected Versions: 3.6.0 – 3.6.2
CVE ID: CVE-2022-1329
CVSS Score: 9.9(Critical)
Fully Patched Version: 3.6.3
The disclosure process was initiated by Wordfence Threat Intelligence team on March 29, 2022 and reported that this critical vulnerability leverages a lack of capability checks found in vulnerable versions of the plugin. Due to this attackers can upload malicious code as a fake plugin archive file and use the vulnerable
upload_and_install_pro action to execute their payload in the compromised environment. By exploiting this vulnerability, attackers can easily take over the site or access resources on the web server.
Excerpts from the report published by Wordfence:
Unfortunately no capability checks were used in the vulnerable versions.
An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it.
Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.
Source: Critical Remote Code Execution Vulnerability in Elementor
The vulnerability was introduced in Elementor version 3.6.0 and Wordfence recommends that the exploit was fully patched in version 3.6.3. However, the official Elementor Changelog states that version 3.6.4 fixes sanitization issues related to the affected Onboarding wizard module.
So it’s better to immediately update to Elementor 3.6.4.
3.6.4 – 2022-04-13
Fix: Optimized controls sanitization to enforce better security policies in Onboarding wizard
Important Note: We strongly recommended to:
- Review all the user accounts; especially the administrator users in your WordPress dashboard and remove the suspected ones. Change the passwords for all the administrator accounts.
- If you are running an e-commerce or membership site, do change WordPress salts and request all your users to update their passwords.
- Run a complete website scan using our malware scanner to make sure there are no signs of infection.