Elementor, a WordPress website builder plugin with over five
million active installations, has been found to be vulnerable to an
authenticated remote code execution flaw that could be abused to
take over affected websites.
Plugin Vulnerabilities, which disclosed[1]
the flaw last week, said the bug was introduced in version 3.6.0
that was released on March 22, 2022. Roughly 37% of users[2]
of the plugin are on version 3.6.x.
“That means that malicious code provided by the attacker can be
run by the website,” the researchers said. “In this instance, it is
possible that the vulnerability might be exploitable by someone not
logged in to WordPress, but it can easily be exploited by anyone
logged in to WordPress who has access to the WordPress admin
dashboard.”
In a nutshell, the issue relates to a case of arbitrary file
upload to affected websites, potentially leading to code
execution.
The bug has been addressed in the latest version of Elementor,
with Patchstack noting[3]
that “this vulnerability could allow any authenticated user,
regardless of their authorization, to change the site title, site
logo, change the theme to Elementor’s theme, and worst of all,
upload arbitrary files to the site.”
The disclosure comes more than two months after Essential Addons
for Elementor was found[4]
to contain a critical vulnerability that could result in the
execution of arbitrary code on compromised websites.
References
Read more https://thehackernews.com/2022/04/critical-rce-flaw-reported-in-wordpress.html