CVE-2022-1329
published 2022-04-19CVE-2022-1329: The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
92.94%
99.8th percentile
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elementor | website_builder | 3.6.0 – 3.6.2 | — |
| elemntor | elementor_website_builder | — | — |
| elemntor | elementor_website_builder | — | — |
| elemntor | elementor_website_builder | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
UEsDBBQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAZWxlbWVudG9yLXByby9VVA0AB8csB2TILAdkxywHZHV4CwABBOgDAAAE6AMAAFBLAwQUAAgACAB8KGdWAAAAAAAAAAA6BAAAHwAgAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAKVSXU/bQBB8rn/FgqryoXyUoFZqKAUTnBCJhshxQKiq0Nlex6ee705354T8++45AfLQ9qVv9u3s7OzMfr3QpQ66x8cBHMNU1AsuYcIq7EMksELplIGpUb56jTYzXDuuZB+SEncQD5ha7hCuai5yNFAyC9wBE6IPuWELYDKnD6VBswVCuoG1QPNnFKDRFJg5yNHyhWxBpVIuEAxaraTlSwTMueNy0Wp4KmWwAyN0YB0zDnOQarW3o38ej/tQOqdtv9vFF5GdTFXdi9pVT1bVJsPzlW7rpsF+8K8ZqzSj+eebx3ZtePNe0fC68uic2dKPCWtXKrPjkKf2hXs0tnHntPO5c/IG/V9FrGH5uyI/KcFnB9eqYpzmv47YFi81y35556OdAlxmzOFCmTUMyNIt9C1UbqEwiGBV4VbM0EmsVQ0Zk5RMzq0zPK0pc5+zzLvUUKmcF2tPQm+19Ifg6EwcmsqCKpqf0WRO0Uk0TMC0TgXP4JZnKC0C3Yz2L7akSNOGx3cMvYbZVgMMFREzf4MtQE51A8uN63D6MmNL2ILNmkyuQdCmr8jOn1Z92ygHuiHPUypN6kvm/D4rLgSkCLXFohYt309geBgnN3fzBMLJIzyEcRxOksczAlNgVMUlbqh4pQUnZtrBMOnWJNUzfI/iwQ21hFfj23HySIJhOE4m0WwGw7sYQpiGcTIezG/DGKbzeHo3izowQ6/K5/UvN4smEHIsR8e4sH7pbhAEvIDDPW4tusP3T6Mo+XHAMseX5M/Bz6Oj4J1BVxt5FgSYlQqq/NPh/uA+avc+9nrtk9Pel/0jqgUX34LfUEsHCH5L6n9mAgAAOgQAAFBLAQIUAxQAAAAAAPEiZ1YAAAAAAAAAAAAAAAAOACAAAAAAAAAAAAD9QQAAAABlbGVtZW50b3ItcHJvL1VUDQAHxywHZMgsB2THLAdkdXgLAAEE6AMAAAToAwAAUEsBAhQDFAAIAAgAfChnVn5L6n9mAgAAOgQAAB8AIAAAAAAAAAAAALSBTAAAAGVsZW1lbnRvci1wcm8vZWxlbWVudG9yLXByby5waHBVVA0ABzw2B2Q9NgdkPDYHZHV4CwABBOgDAAAE6AMAAFBLBQYAAAAAAgACAMkAAAAfAwAAAAA=
- →Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the AJAX action 'elementor_upload_and_install_pro' from low-privileged (Subscriber+) authenticated users. ↗
- →Alert on multipart file uploads to admin-ajax.php containing a ZIP file submitted via the 'fileToUpload' field paired with action 'elementor_upload_and_install_pro'. ↗
- →A successful exploitation response body contains the MD5 string '5f9bc5edd71c78284dabe630df8cd71d'; alert on its presence in HTTP responses from /wp-admin/admin-ajax.php. ↗
- →Monitor for nonce extraction via regex pattern 'admin-ajax.php","nonce":"([0-9a-zA-Z]+)"}' in GET /wp-admin/ responses, which is a precursor step in the exploit chain. ↗
- →Flag GET requests to /index.php?activate=1 immediately following a file upload to admin-ajax.php, as this is the activation step in the RCE exploit chain. ↗
- →Any authenticated user with Subscriber-level permissions or above can trigger the vulnerability; do not restrict detection to admin-level accounts. ↗
- ·The vulnerability exists only in Elementor versions 3.6.0 through 3.6.2; version 3.6.3 and later are patched. Scope detection rules accordingly. ↗
- ·The missing capability check is specifically in the onboarding module file; detection should focus on that AJAX action rather than all admin-ajax.php traffic. ↗
- ·Exploitation requires authentication (any subscriber-level account); unauthenticated requests will not trigger this vulnerability. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-87w4-xwrv-8vj5: The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check i
ghsa_unreviewed·2022-04-20
CVE-2022-1329 [HIGH] CWE-434 GHSA-87w4-xwrv-8vj5: The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check i
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
VulnCheck
elementor Website Builder Unrestricted Upload of File with Dangerous Type
vulncheck·2022·CVSS 8.8
CVE-2022-1329 [HIGH] elementor Website Builder Unrestricted Upload of File with Dangerous Type
elementor Website Builder Unrestricted Upload of File with Dangerous Type
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
Affected: elementor Website Builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/elementor/elementor-website-builder-360-362-missing-aut
No detection rules found.
Nuclei
Elementor Website Builder - Remote Code Execution
nuclei·CVSS 8.8
CVE-2022-1329 [HIGH] Elementor Website Builder - Remote Code Execution
Elementor Website Builder - Remote Code Execution
The Elementor Website Builder plugin for WordPress versions 3.6.0 to 3.6.2 are vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file. This makes it possible for attackers to modify site data and upload malicious files which can be used to obtain remote code execution.
Template:
id: CVE-2022-1329
info:
name: Elementor Website Builder - Remote Code Execution
author: theamanrawat
severity: high
description: |
The Elementor Website Builder plugin for WordPress versions 3.6.0 to 3.6.2 are vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file. This makes it
Metasploit
Wordpress Plugin Elementor Authenticated Upload Remote Code Execution
metasploit
Wordpress Plugin Elementor Authenticated Upload Remote Code Execution
Wordpress Plugin Elementor Authenticated Upload Remote Code Execution
The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability that allows any authenticated user to upload and execute any PHP file. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this. Tested against Elementor 3.6.1
No writeups or analysis indexed.
http://packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.htmlhttps://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.phphttps://www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/http://packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.htmlhttps://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.phphttps://www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/
2022-04-19
Published
Exploited in the wild