Remote Code Execution (RCE) Vulnerability in WordPress’s Elementor Plugin

Remote code Execution Vulnerability in WordPress's Elementor Plugin

VTA-00413 – Remote Code Execution (RCE) Vulnerability in WordPress’s Elementor Plugin

WordPress’ plugin Elementor, has recently released an important security fix to patch the vulnerability which allows authenticated users to have escalated privileges and achieve administrative rights, which was tracked as CVE-2022-1329. Authenticated users are able to use a function which supposedly is used to upload and install plugin in the location of ‘Elementor Pro’. However there are no checkpoints to ensure users without administrative rights are unable to execute additional commands or files. Hence the RCE occurs when both legit plugin and arbitrary code or files are present.

As long as the authenticated user is able to access the admin dashboard, the user is able to perform attacks such as web defacement or upload arbitrary files. This vulnerability affects Elementor versions 3.6.0 to 3.6.2 and has been fully disclosed.  The security patch has been released with the 3.6.3 update. This vulnerability was categorized in the OWASP TOP 10 2021, and is placed in position #1 (Broken Access Control).


Attack Surfaces:
Web Application

Execution, Privilege Escalation

Authentication bypass

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Security Controls, Software Manipulation

SuperPRO’s Threat Countermeasures Procedures: 
1) Update Elementor plugin to version 3.6.3 or newer
2) Ensure WordPress is updated to latest security patches and updates.

Contributed by:  Izzy

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>