A dangerous new vulnerability in a popular WordPress plugin has recently been discovered. Wordfence cybersecurity researchers discovered a flaw in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code.
Elementor is one of the most popular plugins for WordPress, installed on over five million websites.
The plugin was recently updated to version 3.6.0, which introduced, among other things, a new integration module, the purpose of which was to simplify the initial configuration of the plugin. However, the researchers discovered that the module used an “unusual” method to register AJAX actions, without a capability check.
Execution of malicious code
“There are several ways for an authenticated user to get Ajax::NONCE_KEY, but one of the easiest ways is to view the admin dashboard source as the logged in user, since it’s there for all authenticated users, even for subscriber-level users,” the researchers explain.
Therefore, any logged in user can use any of the integration features. That being said, an attacker could, for example, create a malicious “Elementor Pro” plugin zip, and use the integration features to install it. The site would then run any code present in the plugin, including code designed to support the site, or access additional resources on the server.
The features could also be used to completely disfigure the site, it added.
The good news is that the flaw is not present in any Elementor versions prior to 3.6.0 and the fix for the bug is already available.
On April 12, the team released version 3.6.3. plugin version, with Wordfence urging all Elementor users to update their plugins as soon as possible.
Being one of the most popular plugins for WordPress, Elementor is often targeted by bug hunters and threat actors.
In early February, cybersecurity researcher Wai Yan Muo Thet discovered a vulnerability in the Essential Addons for Elementor plugin – a critical Remote Code Execution (RCE) flaw that allowed potential malicious actors to perform an embed attack local files.