WordPress Elementor Plugin Remote Code Execution Vulnerability

A vulnerability was discovered in Elementor, starting with version 3.6.0, that allows an attacker to upload arbitrary code and stage a full site takeover. The flaw was introduced through a lack of proper security policies in a new “Onboarding” wizard feature.

Missing Capability Checks

The flaw in Elementor was related to what is known as Capability Checks.

A capability check is a security layer that all plugin makers are obliged to code. What the capability check does is to check what permission level any logged in user has.

For example, a person with a subscriber level permission might be able to submit comments to articles but they won’t have the permission levels that grants them access to the WordPress editing screen for publishing posts to the site.

User Roles can be admin, editor, subscriber, etc, with each level containing User Capabilities that are assigned to each user role.

When a plugin runs code, it is supposed to check if the user has sufficient capability for executing that code.

WordPress published a Plugin Handbook that specifically addresses this important security check.

The chapter is called, Checking User Capabilities and it outlines what plugin makers need to know about this kind of security check.

The WordPress handbook advises:

“Checking User Capabilities

If your plugin allows users to submit data—be it on the Admin or the Public side—it should check for User Capabilities.

…The most important step in creating an efficient security layer is having a user permission system in place. WordPress provides this in the form of User Roles and Capabilities.”

Elementor version 3.6.0 introduced a new module (Onboarding module) that failed to include capabilities checks.

So the problem with Elementor is not that hackers were clever and discovered a way to do a full site takeover of Elementor-based websites.

The exploit in Elementor was due to a failure to use capability checks where they were supposed to.

According to the report published by Wordfence:

“Unfortunately no capability checks were used in the vulnerable versions.

An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it.

Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.”

Recommended Action

The vulnerability was introduced in Elementor version 3.6.0 and thus does not exist in versions before that one.

Wordfence recommends that publishers update to version 3.6.3.

However, the official Elementor Changelog states that version 3.6.4 fixes sanitization issues related to the affected Onboarding wizard module.

So it’s probably a good idea to update to Elementor 3.6.4.

Elementor WordPress Plugin Changelog Screenshot

Citation

Read the Wordfence Report on the Elementor Vulnerability

Critical Remote Code Execution Vulnerability in Elementor