Latest Elementor Version Fixes Privilege Escalation Vulnerability Issues
Last month, we contacted the developer of the 5+ million install (and maybe 13 million install) WordPress plugin Elementor about yet another issue with them failing to properly restrict access to the plugin’s functionality to only users that are intended to access it. The only response we got back was asking a subscription to their Elementor Pro plugin. That issue still hasn’t been fixed, but the latest version of the plugin, 3.13.2, did address some other instances of the issue that led to at least minor vulnerabilities.
The only changelog information given on the fix made was “Security Fix: Addressed security weaknesses in access management related functions”. Looking into this, so that we could properly inform the one or more of our customers using that plugin, we found that user capability checks were added in several locations. One example of that involves the file /modules/safe-mode/module.php, where the ajax_enable_safe_mode had such a capability check added to limit enabling a safe mode for the plugin to those with install_plugins capability (which normally only Administrators have):
70 71 72 73 | public function ajax_enable_safe_mode( $data ) { if ( ! current_user_can( 'install_plugins' ) ) { throw new \Exception( 'Access denied.' ); } |
Other functions were also changed, including those that display data, make other settings changes, and dismiss notices. At a quick glance, we didn’t see any serious issue that could have exploited through that, but it is possible that access to those could be used for something more significant.
What wasn’t being added to those was a nonce check to prevent cross-site request forgery (CSRF), which should be done with AJAX accessible functions. Looking through additional code, we found that there already was that check is already being done before getting to those functions. The nonce being checked is accessible to anyone with access to the backend of WordPress, so normally anyone logged in to WordPress could have previously accessed this functionality.
Proof of Concept
The following proof of concept will enable the plugin’s safe mode, when logged in to WordPress.
Replace “[path to WordPress]” with the location of WordPress and “[nonce]” with the value of “nonce” in the source code of admin pages from the variable “elementorCommonConfig”.
http://[path to WordPress]/wp-admin/admin-ajax.php?action=elementor_ajax&_nonce=[nonce]&actions={%22enable_safe_mode%22:{%22action%22:%22enable_safe_mode%22}}