Elementor has patched a critical Remote Code Execution vulnerability that was discovered by threat analyst Ramuel Gall from Wordfence on March 29, 2022. Wordfence disclosed the vulnerability to Elementor via its official security contact email address but did not receive a timely reply. On April 11, 2022, Wordfence disclosed the vulnerability to the WordPress Plugins team. Elementor released a patch in version 3.6.3 on April 12, 2022.
Wordfence described the vulnerability as “Insufficient Access Control leading to Subscriber+ Remote Code Execution.” It received a CVSS (Common Vulnerability Scoring System) score of 9.9 (Critical). The vulnerability affects Elementor’s new onboarding module, introduced recently in version 3.6.0.
Wordfence published a technical explanation of how an attacker might gain unauthorized access:
The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.
Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users.
Elementor is installed on more than five million WordPress sites, but this particular vulnerability affects versions 3.6.0 – 3.6.2. At most, this would affect ~34% of users, according to the stats for the plugin’s current active versions. Now that the vulnerability is public, Elementor users are advised to update immediately to version 3.6.3 or later. A related security fix is packaged with version 3.6.4, according to the plugin’s changelog: “Fix: Optimized controls sanitization to enforce better security policies in Onboarding wizard.”