The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to fix a critical remote code execution flaw that can affect up to 500,000 websites.
Although exploiting the flaw requires authentication, its critical severity is given by the fact that anyone connected to the vulnerable website can exploit it, including regular subscribers.
A malicious actor creating a normal user account on an affected website could change the name and theme of the affected site, making it look completely different.
Security researchers believe that a non-logged-in user could also exploit the Elementor plugin’s recently patched flaw, but they have not confirmed this scenario.
In a report published this week by researchers from the WordPress Plugin Vulnerabilities security service, who found the vulnerability, outline the technical details behind the problem in Elementor.
The problem lies in the lack of crucial access control on one of the plugin files, “module.php”, which is loaded on every request during the admin_init action, even for users who are not logged in, the researchers explain.
One of the functions triggered by the admin_init The action allows the uploading of files in the form of a WordPress plugin. A malicious actor could place a malicious file there to achieve remote code execution.
The researchers say the only restriction in place is access to a valid nonce. However, they discovered that the relevant nonce is present in “the WordPress admin pages source code that starts ‘elementorCommonConfig’, which is included when logged in as a user with the subscriber role”.
Impact and fixation
According to Plugin Vulnerabilities, the issue was introduced with Elementor 3.6.0, released on March 22, 2022.
WordPress statistics indicate that around 30.7% of Elementor users have upgraded to 3.6.x, indicating that the maximum number of potentially affected sites is around 1,500,000.
The plugin has been downloaded just over a million times today. Assuming they were all for 3.6.3, there must still be around 500,000 vulnerable websites.
The latest version includes a commit that implements an additional check on nonce access, using the WordPress “current_user_can” function.
Although this should close the security gap, researchers have not yet validated the fix and the Elementor team has not released any details about the fix.
BleepingComputer has contacted the Elementor security team and will update this article as soon as we receive a response.
Plugin Vulnerabilities also released a proof of concept (PoC) to prove exploitability, increasing the risk of vulnerable websites being compromised.
Admins are advised to apply the latest available update for the Elementor WordPress plugin or remove the plugin completely from your website.