• designs@franksgraphic.com
  • +91-77085-77727
franksgraphic
franksgraphic
Twitter Facebook Linkedin Instagram
0
Your Cart
No products in the cart.

WordPress Elementor Plugin Remote Code Execution Vulnerability – Search Engine Journal

  1. Home
  2. Logo Designer
Logo Designer, web design, Website Designer, Wordpress Website Designer

Join us as we explore exclusive survey data from today’s top SEO professionals and digital marketers to inform your strategy this year.
Join us as we explore exclusive survey data from today’s top SEO professionals and digital marketers to inform your strategy this year.
Join us as we explore how to scale the very time-consuming and complicated process of earning links from digital PR, with proven case studies showing how you can earn hundreds of links in 30 days.
This strategy guide is the first step towards attracting high-quality leads and revolutionizing how you think about lead generation.
Join us as we explore how to scale the very time-consuming and complicated process of earning links from digital PR, with proven case studies showing how you can earn hundreds of links in 30 days.
Reserve your spot and discover 10 quick and easy SEO wins to boost your site’s rankings.
A Remote Code Execution Vulnerability discovered in the Elementor Website Builder plugin that can lead to full site takeover
A vulnerability was discovered in Elementor, starting with version 3.6.0, that allows an attacker to upload arbitrary code and stage a full site takeover. The flaw was introduced through a lack of proper security policies in a new “Onboarding” wizard feature.
The flaw in Elementor was related to what is known as Capability Checks.
A capability check is a security layer that all plugin makers are obliged to code. What the capability check does is to check what permission level any logged in user has.
For example, a person with a subscriber level permission might be able to submit comments to articles but they won’t have the permission levels that grants them access to the WordPress editing screen for publishing posts to the site.
User Roles can be admin, editor, subscriber, etc, with each level containing User Capabilities that are assigned to each user role.
When a plugin runs code, it is supposed to check if the user has sufficient capability for executing that code.
WordPress published a Plugin Handbook that specifically addresses this important security check.
The chapter is called, Checking User Capabilities and it outlines what plugin makers need to know about this kind of security check.
The WordPress handbook advises:
Checking User Capabilities
If your plugin allows users to submit data—be it on the Admin or the Public side—it should check for User Capabilities.
…The most important step in creating an efficient security layer is having a user permission system in place. WordPress provides this in the form of User Roles and Capabilities.”
Elementor version 3.6.0 introduced a new module (Onboarding module) that failed to include capabilities checks.
So the problem with Elementor is not that hackers were clever and discovered a way to do a full site takeover of Elementor-based websites.
The exploit in Elementor was due to a failure to use capability checks where they were supposed to.
According to the report published by Wordfence:
“Unfortunately no capability checks were used in the vulnerable versions.
An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it.
Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server.”
The vulnerability was introduced in Elementor version 3.6.0 and thus does not exist in versions before that one.
Wordfence recommends that publishers update to version 3.6.3.
However, the official Elementor Changelog states that version 3.6.4 fixes sanitization issues related to the affected Onboarding wizard module.
So it’s probably a good idea to update to Elementor 3.6.4.
Elementor WordPress Plugin Changelog Screenshot
Read the Wordfence Report on the Elementor Vulnerability
Critical Remote Code Execution Vulnerability in Elementor
I have 25 years hands-on experience in SEO and have kept on  top of the evolution of search every step ...
Conquer your day with daily search marketing news.
Join Our Newsletter.
Get your daily dose of search know-how.
In a world ruled by algorithms, SEJ brings timely, relevant information for SEOs, marketers, and entrepreneurs to optimize and grow their businesses -- and careers.
Copyright © 2024 Search Engine Journal. All rights reserved. Published by Alpha Brand Media.

source
franco

Recent Posts

‘Night Has Come’ Review: A Visceral Documentary About Elite Peruvian Military Recruits – Hollywood Reporter

Bharateeyudu 2: Demi-Leigh Tebow sizzles in ‘Calendar’ song – Telugu Cinema

Kalki 2898 AD box office collection: Prabhas film broke these 10 BO records, including personal records of Amitabh Bachchan and Deepika Padukone – The Indian Express

All Categories