A critical vulnerability was discovered in the Elementor Website Builder Plugin for WordPress

The CVE-2022-1329 Vulnerability

An authenticated remote code execution flaw has been discovered in the popular WordPress website builder plugin Elementor, which may be exploited to take control of affected websites.

Critical RCE Flaw 1024x579

Last week, Plugin Vulnerabilities revealed that the issue was detected in version 3.6.0, which was released on March 22, 2022, according to the company’s statement. As per the available information, the plugin’s version 3.6.x is used by around 37% of its users.

The problem revolves around file uploads, which might possibly result in code execution. The researchers say this implies that the website can run malicious code given by the attacker. Anyone who has access to the WordPress admin dashboard can take advantage of it, besides, the vulnerability may be exploitable by someone who isn’t registered in WordPress too.

A third-party data monitoring has revealed that Elementor, a popular WordPress plugin with more than 5 million active installations, was probed by, what the researchers believe to be a hacker, by requesting the following file.

/wp-content/plugins/elementor/readme.txt

Based on what has been detected in the limited checking, the researchers recommend that this plugin should not be used until it has been thoroughly reviewed and all security concerns have been addressed.

The report discloses that what has been detected is that the plugin isn’t managing basic security correctly, as the researchers have discovered several functionalities where capability checks have been missing when they shouldn’t. Some of these functionalities have been inaccessible to users who should not have access, but, at least one has been accessible, allowing for remote code execution (RCE). Such a serious type of vulnerability may allow the website to be used to launch malicious code provided by the attackers.

What has been explained is that this vulnerability might allow any authenticated user, regardless of their authorization, to modify the site title, logo, and theme, and upload arbitrary files to the website.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment