Critical Vulnerability Fixed In Elementor Plugin Version 3.6.3

Published 13 April 2022
Updated 23 November 2023
Dave Jong
CTO at Patchstack
Table of Contents

A critical vulnerability was fixed in the WordPress plugin Elementor.

Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack Community (Free) plan and monitor up to 10 WordPress sites for free.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

Note: we are still gathering more information on this vulnerability, such as the requirements to exploit this vulnerability (unauthenticated or subscriber+ which we have confirmed), and are also still waiting on information on the original discoverer of the vulnerability as we did not discover this vulnerability. We'll be updating this article as we continue with the investigation.

The widely popular WordPress website builder plugin Elementor, which has over 5 million active installations, has recently released version 3.6.3 which contains an important security fix.

This vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor's theme, and worst of all, upload arbitrary files to the site.

The arbitrary file upload vulnerability could allow someone to take over the entire site or perform remote code execution (RCE).

Please update immediately! Patchstack protected sites have received a vPatch to be protected from this vulnerability.

The security vulnerability in Elementor

The vulnerability exists due to an "onboarding" module that is loaded on every request and is hooked into the admin_init WordPress hook. This hook is fired on any admin-related screen/script but does not necessarily imply that it's only fired when a higher privileged user is logged in on the site.

This module determines if the POST payload action and _nonce parameters are sent and also determines if the nonce that is sent along with the request is valid. From this point on it will execute the action given in the action parameter.

Since the nonce token that is checked in this module is sent to any authenticated user it makes it possible for any authenticated user to execute this action regardless of their authorization.

Note: At this time we are still determining if unauthenticated users are able to leak the nonce token as well (and thus are able to exploit the vulnerability).

The patch in Elementor

The patch was applied in version 3.6.3 of Elementor. The diffs of the commit can be found here and the security patch itself can be found here. A snippet of the security patch can be seen below.

vulnerability in Elementor

Here you can see that an additional check was added to determine the authorization of the user using the current_user_can WordPress function, which fixes the security issue.

Timeline of the vulnerability in Elementor

13-04-2022 - We came across the vulnerability when it was caught by our monitoring tools. We released a vPatch to all Patchstack paid version customers.
13-04-2022- Added the vulnerability to the Patchstack vulnerability database.

The latest in Security Advisories

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu