Up to 250k sites could still be affected by a recent critical flaw found in the WordPress Elementor plugin

Firstly, this is not a plugin Spotlight Studios uses or endorses in anyway. In fact out of all the websites we’ve inherited over the last 10 years, websites built using this plugin were arguably the most troublesome. However being a top builder in the market it can tend to attract some amateurs as well so objectively speaking it could be that putting Elementor in the right hands it wouldn’t be quite so bloated and cumbersome… maybe 🙂

Personal experiences aside the fact remains that an extremely critical flaw has been found in the WordPress Elementor Plugin. Although exploiting the flaw requires authentication, it’s critical severity has been assigned due to the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers. Therefore if you run a website with any form of userbase such as ecommerce or membership then get onto your website admin asap. If you don’t have a website admin and you need some assistance then get in touch with us asap.

Get Help

A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different. This could also wipe any theme configurations IF for instance widget locations have been used that were not supported so even restoring it back could have very adverse affects. Security researchers also believe that a non-logged in user could also exploit the flaw but this is yet to be proven.

Technical Background

For those interested in the technicalities of the issue then the problem lies in the absence of a crucial access check in one of the plugin’s files, “module.php”, which is loaded on every request during the admin_init action, even for users that are not logged in, the researchers explain.

“The RCE vulnerability we found involves the function upload_and_install_pro() accessible through the previous function. That function will install a WordPress plugin sent with the request” – Plugin Vulnerabilities

One of the functions triggered by the admin_init action allows file upload in the form of a WordPress plugin. A threat actor could place a malicious file there to achieve remote code execution. The researchers go on to advise that the only restriction in place is access to a valid nonce. However, they found that the relevant nonce is present in “source code of admin pages of WordPress that starts ‘elementorCommonConfig‘, which is included when logged in as a user with the Subscriber role.” 🤦‍♂️

How long has this been an issue?

According to Plugin Vulnerabilities, the issue was introduced with Elementor 3.6.0, released on March 22, 2022.

How to Fix

Statistics provided by WordPress indicate that a little over 30% of Elementor’s users have upgraded to version 3.6.x, which would indicate approximately 1.5 million websites were affected. A patch was released in version 3.6.3, at the time of writing Elementor has been downloaded over 1.25 million times since the patch, assuming all of these updated the latest version this would still leave a potential of 250k+ websites at risk. The latest version includes a commit that implements an additional check on the nonce access, using the current_user_can WordPress function.