We are currently in the process of reviewing a partially disclosed possible vulnerability in a 200,000+ install WordPress plugin that extends the 5+ million install plugin Elementor. One issue we found with the possible vulnerability is that the developer is failing to properly limit access to functionality in the plugin. And instead relying solely on a nonce a limit access to only the intended WordPress users. WordPress documentation for nonces clearly states that shouldn’t be done:

Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can(), and always assume nonces can be compromised.

There was a good reminder of why that is, as we found that Elementor is continuing to improperly handle providing access to nonces. What we found is that numerous scripts for the plugin are being loaded on all admin pages of WordPress, even for users logged in as Subscribers who have no access to Elementor. Clearly that is not all intended for those users, as one of those included a URL with a nonce, which looked like this:

/wp-admin/edit.php?action=elementor_new_post&post_type=e-landing-page&template_type=landing-page&_wpnonce=a67176d1a8#library

Accessing the URL we got a message that said “Sorry, you are not allowed to access this page.”

That permissive access to nonces led in part to a widely exploited vulnerability in Elementor in 2022, making the failure to still properly handle those harder to understand.

It also is an issue that they are loading up every admin page being accessed with additional data that isn’t needed.

The documentation for the function that is used for enqueuing the scripts, admin_enqueue_scripts, notes that it has a parameter, $hook_suffix, to avoid this:

This should be used to enqueue scripts and styles only in the pages they are going to be used, and avoid adding script and styles to all admin dashboard unnecessarily.

This continued poor handling of security is exactly the sort of thing that led to us advising against using plugins developed by Elementor last year. That soundness of that advice is further strengthened by this.

We notified Elementor about the issue yesterday through their security email (they list that as an alternate to contacting two bug bounty programs that were not relevant to what we were reporting). Their customer support department, not for some reason their security department, responded with this later in the day:

We have reviewed the case and it has already been escalated to the concerned department.

I see that there’s an open ticket already related to the concern. Please avoid creating new tickets to ensure we address your concern.

We haven’t reported this to them before. We did report an unrelated security issue to them in April of last year. So who knows what is going on there.