Beside Visual Composer, Elementor is one of the common and powerful drag and drop page builder for WordPress. This plugin can help us to create beautiful pages using a visual editor. It’s designed for you to build dynamic websites easily. This WordPress plugin is an all-in-1 solution. It support you to control every part of your website design in a single platform.
Arbitrary File Upload vulnerability discovered by Ramuel Gall (Wordfence) in WordPress Elementor Website Builder plugin (versions <= 3.6.2).
Update the WordPress Elementor Website Builder plugin to the latest available version (at least 3.6.3).
A critical vulnerability was fixed in the WordPress plugin Elementor.
The widely popular WordPress website builder plugin Elementor, which has over 5 million active installations, has recently released version 3.6.3 which contains an important security fix.
This vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor’s theme, and worst of all, upload arbitrary files to the site.
The arbitrary file upload vulnerability could allow someone to take over the entire site or perform remote code execution (RCE).
The Security Vulnerability in Elementor
The vulnerability exists due to an “onboarding” module that is loaded on every request and is hooked into the admin_init WordPress hook. This hook is fired on any admin-related screen/script but does not necessarily imply that it’s only fired when a higher privileged user is logged in on the site.
This module determines if the POST payload action and _nonce parameters are sent and also determines if the nonce that is sent along with the request is valid. From this point on it will execute the action given in the action parameter.
Since the nonce token that is checked in this module is sent to any authenticated user it makes it possible for any authenticated user to execute this action regardless of their authorization.
Note: At this time we are still determining if unauthenticated users are able to leak the nonce token as well (and thus are able to exploit the vulnerability).
Extracted from Patch Work – Critical Vulnerability Fixed In Elementor Plugin Version 3.6.3 – Patchstack