Description: Insufficient Access Control leading to Subscriber+ Remote Code Execution

Affected Plugin: Elementor

Plugin Slug: elementor

Plugin Developer: Elementor

Affected Versions: 3.6.0 – 3.6.2

CVE ID: CVE-2022-1329

CVSS Score: 9.9(Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher/s: Ramuel Gall

Fully Patched Version: 3.6.3

The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.

Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users.

This means that any logged-in user could use any of the onboarding functions. Additionally, an unauthenticated attacker with access to the Ajax::NONCE_KEY could use any of the functions called from maybe_handle_ajax, though this would likely require a separate vulnerability.

The function with the most severe impact was the upload_and_install_pro function. An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it. Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.

In addition to this functionality, a less sophisticated attacker could simply deface the site by using the maybe_update_site_name, maybe_upload_logo_image, and maybe_update_site_logo functions to change the site name and logo.

Timeline

March 29, 2022 – We finish our investigation and deploy a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We send our full disclosure to the plugin developer’s official security contact.

April 5, 2022 – We follow up with the plugin developer’s security contact as we have not yet received a response.

April 11, 2022 – We send our full disclosure to the WordPress Plugins team.

April 12, 2022 – A patched version of Elementor is released.

April 28, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered a Critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. If your site is using the Elementor plugin, we urge you to update immediately. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.