A high severity vulnerability was discovered in the Elementor website builder plugin, which could allow an attacker to upload files to the server and execute them. The issue lies in the template uploader functionality.
Elementor Unrestricted Upload of File with Dangerous Type Vulnerability
Elementor website builder is a popular WordPress plugin with over 5 million installations. Its popularity is driven by its easy-to-use drag and drop interface for creating professional looking websites.
The vulnerability found in Elementor is rated 8.8/10, making websites using the plugin susceptible to Remote Code Execution. This allows an attacker to potentially control the compromised site and execute various commands.
This vulnerability is known as an Unrestricted Upload of File with Dangerous Type. It enables attackers to upload malicious files, which in turn allows them to execute commands on the affected web server.
Such issues are generally described as follows:
“The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.”
Wordfence describes this particular vulnerability:
“The Elementor Website Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.0 via the template import functionality.
This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.”
Wordfence also indicates that there is no patch currently available to fix this issue and recommends uninstalling Elementor.
“No known patch available. Please review the vulnerability’s details in depth and employ mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.”
Elementor 3.18.1 Version Update
Elementor released an update to version 3.18.1 today. It is unclear if this patch fixes the vulnerability, as Wordfence reports that it remains unpatched.
The changelog describes this update:
“Fix: Improved code security enforcement in File Upload mechanism”
This is a newly reported vulnerability and the details may evolve. However, Wordfence warns that hackers are already targeting Elementor websites, noting that its paid version has blocked eleven hacking attempts since the announcement was published.
Read the Wordfence advisory:
Elementor <= 3.18.0 Authenticated (Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
