Elementor, a WordPress website builder plugin with over five million active installs, has been found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over websites concerned.
Plugin Vulnerabilities, which disclosed the flaw last week, said the bug was introduced in version 3.6.0 released on March 22, 2022. About 37% of plugin users are using version 3.6.x.
“This means that the malicious code provided by the attacker can be executed by the website,” the researchers said. “In this case, it’s possible that the vulnerability could be exploited by someone not logged into WordPress, but it can easily be exploited by anyone logged into WordPress with access to the WordPress admin dashboard.”
In a nutshell, the issue is a case of arbitrary file uploads to affected websites, potentially leading to code execution.
The bug has been fixed in the latest version of Elementor, with Patchstack noting that “this vulnerability could allow any authenticated user, regardless of permissions, to change the site title, site logo, change the theme for the Elementor theme, and worst of all, upload arbitrary files to the site.”
The disclosure comes more than two months after Essential Addons for Elementor was discovered to contain a critical vulnerability that could lead to arbitrary code execution on compromised websites.