WordPress Plugin Vulnerability Report – Elementor Website Builder – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Plugin Name: Elementor Website Builder

Key Information:

  • Software Type: Plugin
  • Software Slug: elementor
  • Software Status: Active
  • Software Author: elemntor
  • Software Downloads: 357,725,852
  • Active Installs: 5,000,000
  • Last Updated: December 6, 2023
  • Patched Versions: No patched version
  • Affected Versions: <= 3.18.0

Vulnerability Details:

  • Name: Elementor <= 3.18.0 Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
  • Title: Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
  • Type: Unrestricted Upload of File with Dangerous Type
  • CVSS Score: 8.8 (High)
  • Publicly Published: December 6, 2023
  • Description: The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.0 via the template import functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.

Summary:

The Elementor Website Builder for WordPress has a high severity vulnerability in versions up to and including 3.18.0 that allows authenticated users with contributor-level access or higher to upload arbitrary files and execute remote code on the server via the template import functionality. This vulnerability has not yet been patched.

Detailed Overview:

On December 6th, 2023, a critical remote code execution vulnerability was publicly disclosed, impacting the popular Elementor Website Builder plugin, active on over 5 million WordPress sites. This vulnerability allows users with contributor-level access or higher to upload arbitrary PHP files to the server via the template import function. Once uploaded, these files can be accessed and executed remotely, enabling full server compromise.

The vulnerability stems from improper input validation and restrictions on the template import feature. By uploading a PHP file masked as a template export file, attackers can bypass filters and upload executable code. When accessed, this code runs with the same privileges as the web server itself.

This severe flaw enables remote code execution, PHP shell uploads, backdoor creation, data exfiltration, and a range of other attacks. Sites running vulnerable Elementor versions should immediately restrict contributor permissions and urgently update when patches become available.

Advice for Users:

  1. Immediate Action: Restrict contributor permissions to mitigate risk until update is available.
  2. Check for Signs of Compromise: Review logs and file manager for unauthorized changes.
  3. Alternate Plugins: Consider alternative page builders like Beaver Builder if risk is unacceptable.
  4. Stay Updated: Ensure Elementor and all plugins run latest versions when updates are released.

Conclusion:

This dangerous vulnerability requires urgent action from Elementor users and developers. Restricting contributor permissions can offer temporary protection, but sites remain critically exposed without an official patch. Users should closely monitor Elementor communications for new version releases, which should be applied immediately once available. Promptly restricting access and updating software remains the best way to avoid compromise.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementor

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementor/elementor-3180-authenticatedcontributor-arbitrary-file-upload-to-remote-code-execution-via-template-import

Detailed Report:

A dangerous website security threat has recently emerged that puts millions of WordPress sites at risk of compromise. A severe vulnerability was publicly disclosed this week in Elementor, one of the most popular WordPress page builder plugins, actively running on over 5 million websites. This flaw allows authenticated users with author or contributor access to remotely execute code on vulnerable servers, opening the door for serious hacks.

Elementor is a drag and drop website builder used by many small businesses to easily create WordPress pages and posts without needing to code. It has over 5 million active installs and has been downloaded over 357 million times, underscoring its immense popularity. Unfortunately, a critical security flaw has been found impacting all versions up to and including the latest 3.18.0.

This vulnerability allows users with contributor-level access or higher to upload arbitrary PHP files to the server via the template import function. Once uploaded, these files can be executed remotely, enabling full server compromise, remote code execution, backdoor creation, and data theft. The vulnerability stems from improper input validation on the template importer.

For small business owners without large security teams, this is an urgent threat. Hacks of this nature can lead to disruption of online operations, theft of customer data, reputational damage, blackmail, and even threats to physical safety. Prompt action is essential.

To mitigate risk, users should immediately restrict contributor permissions if possible and closely monitor the plugin for a patched update. However, restricting access may not be enough, and the underlying flaw leaves sites critically exposed without an official fix. Small business owners should consider proactive monitoring for unauthorized changes and be prepared to switch plugins if updates do not arrive soon.

This flaw highlights why staying on top of plugin and platform updates is so essential. New vulnerabilities emerge frequently, getting stealthily patched in newer versions. Without prompt updates, outdated software leaves the door unlocked for attackers. Unfortunately outdated plugins and themes are rampant across the web.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Elementor Website Builder – Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import FAQs

Leave a Comment