The CVE-2022-1329 Vulnerability
An authenticated remote code execution flaw has been discovered in the popular WordPress website builder plugin Elementor, which may be exploited to take control of affected websites.
Last week, Plugin Vulnerabilities revealed that the issue was detected in version 3.6.0, which was released on March 22, 2022, according to the company’s statement. As per the available information, the plugin’s version 3.6.x is used by around 37% of its users.
The problem revolves around file uploads, which might possibly result in code execution. The researchers say this implies that the website can run malicious code given by the attacker. Anyone who has access to the WordPress admin dashboard can take advantage of it, besides, the vulnerability may be exploitable by someone who isn’t registered in WordPress too.
A third-party data monitoring has revealed that Elementor, a popular WordPress plugin with more than 5 million active installations, was probed by, what the researchers believe to be a hacker, by requesting the following file.
Based on what has been detected in the limited checking, the researchers recommend that this plugin should not be used until it has been thoroughly reviewed and all security concerns have been addressed.
The report discloses that what has been detected is that the plugin isn’t managing basic security correctly, as the researchers have discovered several functionalities where capability checks have been missing when they shouldn’t. Some of these functionalities have been inaccessible to users who should not have access, but, at least one has been accessible, allowing for remote code execution (RCE). Such a serious type of vulnerability may allow the website to be used to launch malicious code provided by the attackers.
What has been explained is that this vulnerability might allow any authenticated user, regardless of their authorization, to modify the site title, logo, and theme, and upload arbitrary files to the website.