Critical Remote Code Execution Vulnerability in Elementor

On March 29, 2022, the Wordfence Threat Intelligence team initiated the disclosure process for a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

We sent our disclosure to the official Elementor security contact email address on March 29, and followed up on April 5, 2022. As we did not receive a response by April 11, 2022, we sent the disclosure to the WordPress plugins team. A patched version of the plugin, 3.6.3, was released the next day on April 12, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule protecting against this issue on March 29, 2022. Sites still running the free version of Wordfence will receive the same protection 30 days later, on April 28, 2022.


Description: Insufficient Access Control leading to Subscriber+ Remote Code Execution
Affected Plugin: Elementor
Plugin Slug: elementor
Plugin Developer: Elementor
Affected Versions: 3.6.0 – 3.6.2
CVE ID: CVE-2022-1329
CVSS Score: 9.9(Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Researcher/s: Ramuel Gall
Fully Patched Version: 3.6.3

The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.

		add_action( 'admin_init', function() {
			if ( wp_doing_ajax() &&
				isset( $_POST['action'] ) &&
				isset( $_POST['_nonce'] ) &&
				wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
			) {
				$this->maybe_handle_ajax();
			}
		} );

Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users.

This means that any logged-in user could use any of the onboarding functions. Additionally, an unauthenticated attacker with access to the Ajax::NONCE_KEY could use any of the functions called from maybe_handle_ajax, though this would likely require a separate vulnerability.

The function with the most severe impact was the upload_and_install_pro function. An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it. Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.

In addition to this functionality, a less sophisticated attacker could simply deface the site by using the maybe_update_site_name, maybe_upload_logo_image, and maybe_update_site_logo functions to change the site name and logo.

Timeline

March 29, 2022 – We finish our investigation and deploy a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We send our full disclosure to the plugin developer’s official security contact.
April 5, 2022 – We follow up with the plugin developer’s security contact as we have not yet received a response.
April 11, 2022 – We send our full disclosure to the WordPress Plugins team.
April 12, 2022 – A patched version of Elementor is released.
April 28, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we covered a Critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. If your site is using the Elementor plugin, we urge you to update immediately. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.

Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on April 28, 2022, but have the option of updating Elementor to the patched version 3.6.3 to eliminate the risk immediately.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using WordPress, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a Critical vulnerability that makes it easy for attackers to take over a site.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

12 Comments
  • I just had 4 sites using elementor rendered broken (won't start sites - just displays fatal error message on startup that's emailed to admin account)
    by "Parse error: syntax error unexpended ")" in the ...wp-content/themes/oceanwp/inc/template-helpers.php on line 348"
    I got email with a recovery link to the site. I've activated the Astra theme which allowed the system to come up - although with other issues. Deleted and re-installed the OceanWP, but the same complaint and the same problem.
    Thanks for the warning on this issue!

  • Hi,

    Elementor did another update just now to 3.6.4 do you know if this is also part of the exploit or if 3.6.3 is fine? We just pushed an update after receiving a notice from WordFence yesterday to 3.6.3 this morning on a large variety of websites but I don't know if it is safe to leave it on 3.6.3 or if we should also update to 3.6.4 right away.

    Your thoughts?

    Thanks!

    • Hi Jay,

      It looks like the 3.6.4 patch offers some security improvements, particularly more fine-grained access control as well as sanitization improvements for some of the other onboarding functions that don't allow direct code execution. If you're the sole administrator on your site you're likely fine, but as a general rule we recommend updating to new security patches as soon as possible. While the original patch was sufficient to prevent abuse in almost all cases, there may be configurations where they're necessary and it's great to see Elementor following best practices here.

  • Thanks for the information!

  • It's interesting to note that those (possibly most) who use Elementor, receive it bundled with a theme and as such, without the automatic ability to update.
    There's two things that stand out to me with this model, the first being the overall efficacy of bundling static premium scripts. The second being the probable cash-flow boost premium script publishers receive when a serious vulnerability such as this is discovered. The first seems irresponsible and the second seems financially at odds with robust coding and testing practices.

    I believe a step in the right direction would be that premium publishers patch all prior versions when a vulnerability is discovered without the need to purchase a license. After all it is not the fault of the end user and it would go a long way toward showing ethical practices are at least equal to financial gain.

    Personally I don't use Elementor so if I have my assumptions twisted for this specific publisher I apologize.

    • Hi Andy,

      Elementor is fairly good in this respect, even if it's bundled with a theme as a requirement, what's bundled is the free version which contains most of the functionality and will continue to update. But you're not wrong that certain premium-only site builder plugins have had this problem in the past.

  • I guess I may be asking for too much, but as a "free user", I honestly expect a notification from your software about this....which might allow me to take action on my own. We, after all, are at WAR with Russia and particularly vulnerable right now. Getting protection a month after the fact doesn't cut it.

    • Hi Doloris,

      The Wordfence scanner will notify you when a known vulnerable plugin is installed, and you can update it immediately to secure your site. As a rule, though, we can't do that until after we publicly disclose the issue, so if you're on the mailing list that's likely to be the first place you hear about our finds.

  • Can this come from the vulnerability?

    Warning: Cannot modify header information - headers already sent by (output started at /home/somarzfd/public_html/wp-blog-header.php:1) in /home/xxx/public_html/wp-includes/pluggable.php on line 1355

    Warning: Cannot modify header information - headers already sent by (output started at /home/somarzfd/public_html/wp-blog-header.php:1) in /home/xxx/public_html/wp-includes/pluggable.php on line 1358

    all of a sudden my website is broken

    • Hi Jordan,

      That kind of error can be caused by an infected site, or by code that has been otherwise modified incorrectly. It doesn't necessarily mean that your site has been infected, but if you or your site developer haven't touched the site recently then it's definitely worth investigating. Whether or not the issue was caused by this vulnerability would be difficult to determine without a specialist reviewing the issue. If you want to try to DIY we do have a starter guide on how to clean your site using the Wordfence plugin as well at https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

  • Hi,

    Every site I run Elementor on is hacked. I have the latest update (I pay for the premium so its not just the free level impacted if anyone wondered).

    I cannot find a way to fix any of the sites. It is even going around my maintenance mode. Does anyone have any advice besides reverting from a back up because we have tried on all the sites already. We also removed the plug in from the file manager wp-content folder, etc. Nothing is working.

    Thank you for any help.

    • Hi Amy,

      It can be difficult to clean multiple sites, especially if they're all hosted on the same hosting account, since it only takes one missed malicious file to reinfect the whole site. For that reason I would recommend moving each site to a separate hosting account and then cleaning them individually. Note that this would also be a requirement if you choose to have our Incident Response team take a look at it https://www.wordfence.com/products/wordfence-care/. We do have some tips at https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ as well.