CVE-2022-1329
📋 TL;DR
This vulnerability in the Elementor Website Builder plugin for WordPress allows authenticated attackers to execute unauthorized AJAX actions due to missing capability checks. Attackers can modify site data and upload malicious files leading to remote code execution. WordPress sites using Elementor versions 3.6.0 through 3.6.2 are affected.
💻 Affected Systems
- WordPress Elementor Website Builder Plugin
📦 What is this software?
Website Builder by Elementor
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with attacker gaining full control, installing backdoors, stealing data, and using the server for further attacks.
Likely Case
Attackers upload web shells to gain persistent access, deface websites, or install cryptocurrency miners.
If Mitigated
If proper access controls and file upload restrictions are in place, impact is limited to unauthorized data modification without code execution.
🎯 Exploit Status
Exploit requires authenticated access (subscriber role or higher). Multiple public exploit scripts and detailed write-ups are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.3
Vendor Advisory: https://wordpress.org/plugins/elementor/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Elementor and click 'Update Now'. 4. Verify version is 3.6.3 or higher.
🔧 Temporary Workarounds
Disable Elementor Plugin
allTemporarily disable the Elementor plugin until patching is possible
wp plugin deactivate elementor
Restrict File Uploads
allImplement web application firewall rules to block suspicious file uploads
🧯 If You Can't Patch
- Implement strict access controls and limit user registration
- Deploy web application firewall with rules to detect and block exploit attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Elementor version. If version is between 3.6.0 and 3.6.2 inclusive, system is vulnerable.Check Version:
wp plugin get elementor --field=versionVerify Fix Applied:
Verify Elementor version is 3.6.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to elementor/admin.php
- File uploads to wp-content/uploads/elementor/
- POST requests with 'action' parameter containing 'elementor_ajax'
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with elementor-specific actions
- Uploads of PHP files to Elementor directories
SIEM Query:
source="web_logs" AND (uri="/wp-admin/admin-ajax.php" AND post_data CONTAINS "elementor")🔗 References
- http://packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.html
- https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php
- https://www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/
- https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
- http://packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.html
- https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php
- https://www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/
- https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
