Trying to Decipher a Vulnerability Claim for a WordPress Plugin
Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed the difficultly of trying to vet vulnerability claims in WordPress plugins.
In trying to figure out what was going on, we tried visiting the two links included in Patchstack’s information. Both the links are broken. Looking at an archived copy of one of them, a changelog for the plugin, it doesn’t make any mention of a security fix in the version Patchstack claims fixes this. Here is what is listed for that version:
- New: Dynamic Posts v2 widget
- Add: Currency value and decimal places for numbers on ACF Fields
- Add: RTL Settings for PDF Button widget and PDF Action for Elementor Pro Form
- Add: DPI Settings for PDF Button widget and PDF Action for Elementor Pro Form
- Fix: Minor fixes
We are at a loss as to what the purpose of that link is supposed to be, because it doesn’t seem to have any relevancy to this.
What Plugin is Supposed to be Vulnerable?
The archived copy of the other link at times seems to suggest this was an issue in another plugin, Elementor Pro. It links to a CVE ID, CVE-2020-26596, which says:
The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows
The version number listed there matches with the link’s mention of the version of Elementor Pro:
Elementor <= 3.0.5
Though it also mentions WordPress in the same way, despite the claimed vulnerability seeming to do not have anything to with any issue in WordPress:
WordPress <= 5.5.1
According to the current changelog for Dynamic Content for Elementor, the latest version is 2.12.7.
The CVE Record lists as a reference, the changelog for Elementor Pro, which lists these entries for the version after 3.0.5:
- Tweak: Updated the embedded post in Facebook Embed widget
- Fix: Minor UI glitches in Theme Builder’s conditions screen footer
- Fix: Template type changes into Single Page after conditions change in Theme Builder
- Fix: Redundant Custom Caption option in Site Logo widget
- Fix: Removed unused code in Drip integration
- Fix: Removed Weibo and WeChat social networks due to website and links inactivity from Share Buttons widget
- Fix: Removed redundant code from Portfolio and Post Navigation widgets
So nothing related to the claimed vulnerability.
What Role is Supposed to be Required?
Patchstack is claiming that the Administrator role is needed to access this, which would likely mean this wasn’t a vulnerability. But the second link says that it was accessible by Editors:
Un usuario con privilegios de “editor” sobre WordPress puede modificar un sitio o contenido del sitio usando “Elementor” y agregar un snippet de Php Raw, empleando el widget Dynamic OOO:
El plugin valida incorrectamente el privilegio del usuario, permitiéndole a un usuario no administrador hacer uso del Snippet:
That would be a vulnerability.
Was There a Vulnerability in Dynamic Content for Elementor?
Putting that all together, it seems like there likely was a vulnerability in Dynamic Content for Elementor, though it was misconstrued as a vulnerability in Elementor Pro in some of the information. Has it been fixed? It looks like it is claimed to have been fixed. Though, it would be a good idea to check that the plugin’s PHP Raw widget, if it exists, and other widgets from the plugin are accessible to only those that should have access. Something we will do if any of our customers get back to us after we alert them to the possibility of the issue on their website.