The Elementor Website Builder plugin has a Remote Code Execution Vulnerability that can lead to full site takeover.
Starting with version 3.6.0, a vulnerability in Elementor was discovered that allows an attacker to submit arbitrary code and take control of the entire site. A lack of suitable security policies in a new “Onboarding” wizard tool exposed the problem.
Missing Capability Checks
The flaw in Elementor was caused by something called Capability Checks.
A capability check is a security feature that all plugin developers must include. The capability check determines the permission level of each logged in user.
A user with a subscriber level permission, for example, may be able to leave comments on articles, but they will not have access to the WordPress editing page, where they can publish content to the site.
User Roles can be admin, editor, subscriber, and so on, with User Capabilities allocated to each user role at each level.
When a plugin runs code, it’s supposed to check if the user has the necessary permissions to run it.
This crucial security check is expressly addressed in the WordPress Plugin Handbook.
Checking User Capabilities is the title of the chapter, and it explains what plugin developers need to know about this type of security check.
In Elementor 3.6.0, a new module (Onboarding module) was introduced that did not include capabilities checks.
So the issue with Elementor isn’t that hackers were clever and discovered a means to take over Elementor-based websites in their entirety.
Elementor’s exploit was caused by a failure to employ capability checks when they were expected to be used.
Recommended Action
The vulnerability was first discovered in Elementor version 3.6.0, and it does not present in previous versions.
Publishers should upgrade to version 3.6.3, according to Wordfence.
Version 3.6.4, according to the official Elementor Changelog, fixes sanitization issues with the impacted Onboarding wizard module.
As a result, updating to Elementor 3.6.4 is definitely a smart idea.
You can always ease your mind and subscribe to our Monthly WordPress maintenance support.