A vulnerability was discovered in Elementor, starting with version 3.6.0, that allows an attacker to upload arbitrary code and stage a full site takeover. The flaw was introduced through a lack of proper security policies in a new “Onboarding” wizard feature.
Missing Capability Checks
The flaw in Elementor was related to what is known as Capability Checks.
A capability check is a security layer that all plugin makers are obliged to code. What the capability check does is to check what permission level any user has.
For example, a person with a subscriber-level permission might be able to submit comments to articles but won’t have the permissions to access the WordPress editing screen for publishing posts to the site.
User Roles can be admin, editor, subscriber, etc., with each level containing User Capabilities that are assigned to each user role.
When a plugin runs code, it is supposed to check if the user has sufficient capability for executing that code.
WordPress published a Plugin Handbook that specifically addresses this important security check.
The chapter is called “Checking User Capabilities” and it outlines what plugin makers need to know about this kind of security check.
The WordPress handbook advises:
Checking User Capabilities
If your plugin allows users to submit data—be it on the Admin or the Public side—it should check for User Capabilities.
…The most important step in creating an efficient security layer is having a user permission system in place. WordPress provides this in the form of User Roles and Capabilities.
Elementor version 3.6.0 introduced a new module (Onboarding module) that failed to include capabilities checks.
The issue with Elementor was not that hackers were particularly clever, but rather that capability checks were omitted where they were needed.
According to a report published by Wordfence:
No capability checks were used in the vulnerable versions.
An attacker could craft a fake malicious “Elementor Pro” plugin zip file and use this function to install it.
Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.
Recommended Action
The vulnerability was introduced in Elementor version 3.6.0 and does not exist in versions before that one.
It is recommended that publishers update to version 3.6.3.
However, the official Elementor Changelog states that version 3.6.4 fixes sanitization issues related to the affected Onboarding wizard module.
So it is advisable to update to Elementor version 3.6.4.
Elementor WordPress Plugin Changelog Screenshot
Citation
Read the Wordfence Report on the Elementor Vulnerability
Critical Remote Code Execution Vulnerability in Elementor
