PSA: High Severity File Upload Vulnerability in Elementor Patched
On December 6, 2023, the Wordfence team noticed a changelog entry for version 3.18.1 of Elementor, a WordPress plugin installed on nearly 9 million sites. We did not discover the original vulnerability and only became aware of it after reviewing the changelog containing a partial patch. We immediately released a firewall rule to Wordfence Premium, Wordfence Care, and Wordfence Response customers. The firewall rule will be made available to free Wordfence users 30 days later, on January 5, 2023.
After reviewing the vulnerability further, we determined that the patch was insufficient and could still be exploited, though it would be more difficult.
We immediately contacted the Elementor team the same day, on December 6, 2023, to let them know that the patch failed to fully resolve the issue. Elementor released a sufficient patch in version 3.18.2 on December 8, 2023. We commend the team at Elementor in their swift response to this situation.
Fortunately, the vulnerability, while severe, requires Contributor-level privileges or higher to exploit, which minimizes the number of sites likely to be impacted. Few sites use Contributors, and attackers would need to be able to register as a contributor or higher user, or obtain valid credentials for a contributor-level+ user account to exploit this vulnerability.
Vulnerability Summary from Wordfence Intelligence
Description: Elementor validate_file( $file, $allowed_file_extensions );
if ( is_wp_error( $validation_result ) ) {
return $validation_result;
}
return $file;
}
This means that contributors with access to the Elementor editor could upload files of any type and they will be saved in a temporary directory with a randomized name. While attackers exploiting versions before 3.18.1 could use directory traversal to move the uploaded file into a more predictable location, the 3.18.1 partial patch sanitized the filename, meaning that it could only be uploaded directly to the temporary directory.
Since the exploit returns a 500 error and provides no feedback on the location of the temporary directory, attackers would have difficulty finding the uploaded file unless directory indexing was enabled on the server, which is no longer common due to the many security risks it presents.
Conclusion
In today’s PSA, we covered a file upload vulnerability in Elementor affecting versions 3.18.1 and earlier. We strongly recommend updating to the latest version of Elementor, which is 3.18.2 as of this writing, as soon as possible, as this is a high-severity vulnerability which can be used by attackers to upload files and take control of a site.
All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, are fully protected against this vulnerability.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.
Source: wordfence.com