WordPress Plugin Vulnerabilities

Elementor 3.6.0-3.6.2 - Subscriber+ Arbitrary File Upload

Description

The plugin is lacking capability check in a function hooked to admin_init introduced in v3.6.0, and only relying on a CSRF check. As the nonce is available to any authenticated users, they could call it and upload a malicious zip archive containing arbitrary files via a subsequent call, leading to RCE

Proof of Concept

Affects Plugins

Plugin icon
elementor
Fixed in 3.6.3

References

CVE
CVE-2022-1329
URL
https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php?old=2688036&old_path=elementor%2Ftrunk%2Fcore%2Fapp%2Fmodules%2Fonboarding%2Fmodule.php
URL
https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Verified
Yes
WPVDB ID
df62d170-c7d1-43a4-b6dc-20512934c33e

Timeline

Publicly Published
2022-04-13 (about 3 years ago)
Added
2022-04-13 (about 3 years ago)
Last Updated
2022-04-18 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
D&elion - Arbitry File Upload
Published
2026-01-21
Title
Real Homes CRM < 1.0.1 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2025-08-19
Title
Compress Then Upload < 1.0.5 - Admin+ Arbitrary File Upload
Published
2014-08-01
Title
1 Flash Gallery - Arbitrary File Upload Exploit (MSF)
Published
2024-11-11
Title
Instant Image Generator < 1.5.3 - Unauthenticated Arbitrary File Upload