On March 29, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

We sent our disclosure to the official Elementor security contact email address on March 29, and followed up on April 5, 2022. As we did not receive a response by April 11, 2022, we sent the disclosure to the WordPress plugins team. A patched version of the plugin, 3.6.3, was released the next day on April 12, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule protecting against this issue on March 29, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on April 28, 2022.


Description: Insufficient Access Control leading to Subscriber+ Remote Code Execution
Affected Plugin: Elementor
Plugin Slug: elementor
Plugin Developer: Elementor
Affected Versions: 3.6.0 – 3.6.2
CVE ID: CVE-2022-1329
CVSS Score: 9.9(Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.6.3

The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.

		add_action( 'admin_init', function() {
			if ( wp_doing_ajax() &&
				isset( $_POST['action'] ) &&
				isset( $_POST['_nonce'] ) &&
				wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
			) {
				$this->maybe_handle_ajax();
			}
		} );

Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users.

This means that any logged-in user could use any of the onboarding functions. Additionally, an unauthenticated attacker with access to the Ajax::NONCE_KEY could use any of the functions called from maybe_handle_ajax, though this would likely require a separate vulnerability.

The function with the most severe impact was the upload_and_install_pro function. An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it. Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.

In addition to this functionality, a less sophisticated attacker could simply deface the site by using the maybe_update_site_name, maybe_upload_logo_image, and maybe_update_site_logo functions to change the site name and logo.

Timeline

March 29, 2022 – We finish our investigation and deploy a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We send our full disclosure to the plugin developer’s official security contact.
April 5, 2022 – We follow up with the plugin developer’s security contact as we have not yet received a response.
April 11, 2022 – We send our full disclosure to the WordPress Plugins team.
April 12, 2022 – A patched version of Elementor is released.
April 28, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered a Critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. If your site is using the Elementor plugin, we urge you to update immediately. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.

Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on April 28, 2022, but have the option of updating Elementor to the patched version 3.6.3 to eliminate the risk immediately.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using WordPress, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a Critical vulnerability that makes it easy for attackers to take over a site.

The post Critical Remote Code Execution Vulnerability in Elementor appeared first on Wordfence.