Elementor, a WordPress website builder plugin with over 5 million active installations, has been discovered to be vulnerable to an authenticated remote code execution flaw that could be exploited to take complete control of affected websites.
The bug was introduced in version 3.6.0, which was released on March 22, 2022, according to Plugin Vulnerabilities, which disclosed the flaw weeks ago. Approximately 37% of plugin users are on version 3.6.x.
“This means that the website can run malicious code provided by the attacker,” the researchers explained. “In this case, the vulnerability may be exploitable by someone who is not logged in to WordPress, but it can easily be exploited by anyone who is logged in to WordPress and has access to the WordPress admin dashboard.”
In a nutshell, the problem involves arbitrary file uploads to affected websites, which could result in code execution.
Proof Of concept : –
<html> <body> <form action="https://WordPressWebsiteURL/wp-admin/admin-ajax.php" enctype="multipart/form-data" method="POST"> <input type="hidden" name="action" value="elementor_upload_and_install_pro" /> <input type="hidden" name="_nonce" value="[nonce]" /> <input type="file" name="fileToUpload" /> <input type="submit" value="Upload" /> </form> </body> </html>
Patchstack notes that “this vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor’s theme, and worst of all, upload arbitrary files to the site.”
The announcement comes more than two months after Essential Addons for Elementor was discovered to contain a critical vulnerability that could allow arbitrary code to be executed on compromised websites.