The popular Elementor website builder plugin for WordPress was found to have a high severity vulnerability in its template uploader functionality. This vulnerability could allow an attacker to upload and execute files on the website server. Elementor, with over 5 million installations, is known for its ease of use in creating professional websites through a drag and drop interface.
The vulnerability, rated 8.8/10, poses a Remote Code Execution risk, meaning an attacker could gain control of the website and run various commands. Specifically, this is categorized as an Unrestricted Upload of File with Dangerous Type, which allows attackers to upload malicious files for executing commands on the affected website server.
According to Wordfence, the Elementor plugin is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.0. This means that authenticated attackers with contributor-level access and above can upload files and execute code on the server. Wordfence also notes that there is currently no known patch for this vulnerability and recommends organizations to review the details of the vulnerability and consider uninstalling the affected software and finding a replacement.
In response to this vulnerability, Elementor released an update to version 3.18.1, claiming to have improved code security enforcement in the File Upload mechanism. However, it is uncertain whether this patch fully addresses the vulnerability, as the Wordfence advisory still lists the vulnerability as unpatched at the time of the update. Wordfence further warns that there have already been hacking attempts on Elementor websites, with eleven attempts blocked by the paid version at the time of the announcement.
In conclusion, the Elementor website builder plugin has been found to have a high severity vulnerability that poses a risk of Remote Code Execution. While the plugin has released an update, it is unclear if the patch fully addresses the vulnerability. Organizations are advised to assess the risk and consider uninstalling the affected software until a suitable patch is available.
Read Full Article