Elementor 3.6.3 Patches Critical Remote Code Execution Vulnerability

Elementor has patched a critical Remote Code Execution vulnerability that was discovered by threat analyst Ramuel Gall from Wordfence on March 29, 2022. Wordfence disclosed the vulnerability to Elementor via its official security contact email address but did not receive a timely reply. On April 11, 2022, Wordfence disclosed the vulnerability to the WordPress Plugins team. Elementor released a patch in version 3.6.3 on April 12, 2022.

Wordfence described the vulnerability as “Insufficient Access Control leading to Subscriber+ Remote Code Execution.” It received a CVSS (Common Vulnerability Scoring System) score of 9.9 (Critical). The vulnerability affects Elementor’s new  onboarding module, introduced recently in version 3.6.0.

Wordfence published a technical explanation of how an attacker might gain unauthorized access:

The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function.

Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users.

Elementor is installed on more than five million WordPress sites, but this particular vulnerability affects versions 3.6.0 – 3.6.2. At most, this would affect ~34% of users, according to the stats for the plugin’s current active versions. Now that the vulnerability is public, Elementor users are advised to update immediately to version 3.6.3 or later. A related security fix is packaged with version 3.6.4, according to the plugin’s changelog: “Fix: Optimized controls sanitization to enforce better security policies in Onboarding wizard.”


5 responses to “Elementor 3.6.3 Patches Critical Remote Code Execution Vulnerability”

  1. “Fix: Optimized controls sanitization to enforce better security policies in Onboarding wizard.”

    Plugin authors can, and should, do better than this. When their sites at are risk, there is a responsibility to communicate clearly with owners of sites who have installed our plugins.

    “Security fix: Versions 3.6.0 up to 3.6.3 contain a critical security vulnerability allowing any logged-in user (of any level) to take over complete control of the site. All sites with non-trusted users should update immediately.”

      • Sarah,
        For that to happen….either the companies have to have access to my hosting to show up a notification or have my e-mail address.

        You can see my e-mail that I type to post this comment, all WP based website admins have this.

        A lot of this touches the privacy issues.

        Obviously you are not going to take my e-mail address and add it to your mailing list, specially non-wptavern mailing list.

        I would have an issue with a plugin/theme author contacting me via the admin dashboard or directly to my e-mail.

        It’s bad enough that my admin dashboard gets the “you have used xyz plugin, please rate”, “get tips and tricks by subscribing to e-mail news letter, give me your e-mail address” “get pro version of xyz plugin” type messages.
        I am also against automatic updates, WP itself, the company/author of xyz plugin, etc…

        How would most companies get my contact information? I don’t provide it, the e-mail I use to comment on WPTavern and other sites in the WP Universe is not my main e-mail address.

        I think the owner/admin of a website should be doing the work, not the authors of plugins/themes/core.
        I login on my websites and check for any updates, update. Tadaaaaaaaa. Putting the onus on anyone outside the owner/admin……is irresponsible.

        Should Akismet inform you/Justin about an update or should you/Justin log-in once a while to check things out.

        If site 1 has an update on Akismet……sites 2-2000000 will have to have their Akismet updated too.

        By the way, after I do my own site updates…I come on WPtavern to read any new posts. I then go check e-mails. All by 10:00 local time.

  2. Pity to see a large company like Elementor keeping quiet for 14 days and needs a kick from WordPress to release a fix.
    As the song goes “It’s all ’bout the money. It’s all ’bout the dumb dum…”


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.