As of version 3.6.0, a vulnerability has been discovered in Elementor that allows an attacker to upload arbitrary code and perform a complete site takeover. The vulnerability was introduced due to a lack of proper security policies in the new Onboarding wizard feature.
lack of competency checks
The flaws in Elementor are related to so-called competency checks.
Capability checking is a security layer that all plugin makers must write. What a competency check does is check the privilege level of any logged in user.
For example, someone with subscriber-level permissions might be able to submit comments to articles, but they don’t have the permission level that grants them access to the WordPress edit screen to publish posts to the site.
User roles can be administrators, editors, subscribers, etc., and each level contains the user rights assigned to each user role.
When the plugin runs code, it should check that the user has enough power to execute that code.
WordPress has published a plugin manual specifically addressing this important security check.
chapter titled, Check User Capabilities It outlines what plugin makers need to know about such security checks.
The WordPress manual recommends:
“Check User Capabilities
If your plugin allows users to submit data – either on the admin side or the public side – it should check user capabilities.
…the most important step in creating an effective security layer is establishing a system of user permissions. WordPress provides this in the form of user roles and capabilities. “
Elementor version 3.6.0 introduced a new module (Onboarding Module) that failed to include feature checks.
So the problem with Elementor isn’t that hackers are smart, they found a way to do a site-wide takeover of Elementor-based websites.
The exploit in Elementor is due to a failure to use capability checks where it should be.
According to a report published by Wordfence:
“Unfortunately, no capability check is used in the vulnerable version.
An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this feature to install it.
Any code present in the fake plugin will be executed which can be used to take over the site or access other resources on the server. “
Recommended method
The vulnerability was introduced in Elementor version 3.6.0, so it does not exist in versions prior to this version.
Wordfence recommends that publishers update to version 3.6.3.
However, the official Element Changelog Announcement version 3.6.4 fixes a cleanup issue related to the affected onboarding wizard modules.
So it might be a good idea to update to Elementor 3.6.4.
Elementor WordPress plugin changelog screenshot
Citation
Read the Wordfence report on the Elementor vulnerability
