Researchers stated that they discovered a vulnerability in Elementor, a WordPress website builder plugin that is installed on more than five million websites. The authenticated remote code execution could allow a third-party attacker to take over the affected website. The vulnerability appeared in version 3.6.0, which was released on March 22. Approximately, %30 of its users are now using version 3.6.x.
Authenticated remote code execution
In the file /core/app/modules/onboarding/module.php in the plugin, a piece of code is set to run during admin_init. This means it can be run for those who are not logged in to WordPress. It leads to another function in the file, maybe_handle_ajax(), if an AJAX request is being made and a valid nonce is provided.
Then, that function will run other functions depending on the value of the POST input “action”. The RCE vulnerability we found involves the function upload_and_install_pro() accessible through the previous function. The researchers said,
« What we immediately found was that plugin isn’t handling basic security right, as we found many functionalities where capabilities checks were missing where they shouldn’t. While some of those where not accessible to users that shouldn’t have access, we found at least one that is and the functionality accessible leads to one of the most serious types of vulnerabilities, remote code execution (RCE). That means that malicious code provided by the attacker can be run by the website. »