A vulnerability has been discovered in Elementor, starting from version 3.6.0, which allows an attacker to upload arbitrary code and stage a complete takeover of the site. The flaw was introduced by a lack of proper security policies in a new “Onboarding” wizard feature.
Missing capacity checks
The flaw in Elementor was related to so-called ability checks.
A capability check is a security layer that all plugin makers are required to code. What the capability check does is check the permission level of any logged in user.
For example, someone with subscriber-level permission may be able to submit comments on posts, but they won’t have the permission levels to access the WordPress edit screen. to publish articles on the site.
User roles can be administrator, editor, subscriber, etc., with each level containing user capabilities that are assigned to each user role.
When a plugin executes code, it is supposed to check if the user has sufficient capacity to execute that code.
WordPress has published a plugin manual that specifically addresses this important security check.
The chapter is titled, Verification of user capabilities and it describes what plugin makers need to know about this type of security check.
The WordPress manual advises:
“Verification of user capabilities
If your plugin allows users to submit data, whether on the admin or public side, it should verify the capabilities of the user.
… The most important step in creating an effective security layer is to implement a user authorization system. WordPress provides this in the form of user roles and capabilities.
Elementor version 3.6.0 introduced a new module (integration module) which did not include capability checks.
So, the problem with Elementor is not that hackers were smart and figured out a way to take complete control of Elementor-based websites.
The exploit in Elementor was due to an inability to use ability checks where they were supposed to.
According to the report published by Wordfence:
“Unfortunately, no capacity checks were used in the vulnerable versions.
An attacker could create a fake malicious “Elementor Pro” plug-in zip file and use this feature to install it.
Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.
The vulnerability was introduced in Elementor version 3.6.0 and therefore does not exist in versions prior to this.
Wordfence recommends publishers update to version 3.6.3.
However, the official Elementor Changelog indicates that version 3.6.4 fixes cleanup issues related to the affected onboarding wizard module.
So it’s probably a good idea to update to Elementor 3.6.4.
Screenshot of Elementor WordPress plugin changelog
Read the Wordfence report on the Elementor vulnerability