WordPress Plugin Developer Security Advisory: Elementor
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.
In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.
The latest addition to our advisories involves a developer, Elementor, that keeps failing to implement the same basic security despite the lack of that leading to two exploited vulnerabilities in just over a year, while claiming to take security seriously:
Elementor takes its responsibility to create secure plugins seriously. Our developers are highly trained to write safe, secure code, and we monitor for vulnerabilities.
Making the situation worse, they make it hard to even get in touch with them about security issues in their plugins.
Missing Capabilities Check to Exploited Vulnerability
In April of last year, we saw what appeared to be a hacker probing for the Elementor plugin. That was concerning, as it is one of the most popular WordPress plugins. It isn’t clear how popular because WordPress won’t show install counts above 5+ million, for whatever reason. According to Elementor, as of this year, it was up to 13 million installs.
After seeing that apparent hacker probing, we did a set of checks designed to find the types of vulnerabilities that hackers known to find on their own and exploit. Here is how we recapped the result of that:
What we immediately found was that plugin isn’t handling basic security right, as we found many functionalities where capabilities checks were missing where they shouldn’t. While some of those where not accessible to users that shouldn’t have access, we found at least one that is and the functionality accessible leads to one of the most serious types of vulnerabilities, remote code execution (RCE). That means that malicious code provided by the attacker can be run by the website.
We were later able to confirm that hackers were exploiting the most serious security issue we ran across. While a hacker could have found that on their own, Wordfence later disclosed they had been selling to anyone willing to pay for their Wordfence Premium service info on how to exploit the vulnerability since the end of March. Wordfence’s post failed to mention a broader security issue still existed in a plugin (not for the first time), but it did have this concerning timeline:
We sent our disclosure to the official Elementor security contact email address on March 29, and followed up on April 5, 2022. As we did not receive a response by April 11, 2022, we sent the disclosure to the WordPress plugins team. A patched version of the plugin, 3.6.3, was released the next day on April 12, 2022.
(April 12, was when we publicly warned about this, so that might explain why it was fixed then.)
You would think that Elementor would have taken a hacker exploiting that vulnerability as a wake-up call that they needed to improve their security, but they didn’t.
Missing Capabilities Check to Exploited Vulnerability Again
In late March, the maker of the NinjaFirewall plugin, NinTechNet, disclosed a serious vulnerability in the Elementor Pro plugin. While the vulnerability was fixed before it was disclosed, so websites could be protected by simply keeping their plugins up to date, many websites were subsequently hacked through this.
Like the previously exploited vulnerability, that vulnerability was also in part caused by a lack of a capabilities check:
This function is supposed to allow the Administrator or the Shop Manager to update some specific WooCommercerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only.
Surely that lack of a basic security check causing websites to be exploited for the second time in a year would cause Elementor to make sure there were no more issues like that, right? Wrong.
Yet Another Missing Capabilities Check
On Sunday, a new version of Elementor was released, with a changelog indicating a security change had been made, “Fix: Improved code security enforcement in Replace URL functionality”. As at least one of our customers is using the plugin, we checked over that to see if there was a vulnerability being addressed, there wasn’t (though other data providers are incorrectly claiming there was). What we did find was that there still was a security issue with the code because of a lack of a capabilities check.
The Replace URL functionality referenced involves the function ajax_elementor_replace_url() in the file /includes/settings/tools.php. That is made accessible through WordPress’ AJAX functionality to anyone logged in to WordPress (just like the previously mentioned vulnerability):
178 | add_action( 'wp_ajax_elementor_replace_url', [ $this, 'ajax_elementor_replace_url' ] ); |
There should be a capabilities check to limit access to that to the intended users, which are Administrators, but there isn’t one:
98 99 100 101 102 103 104 105 106 107 108 109 110 | public function ajax_elementor_replace_url() { check_ajax_referer( 'elementor_replace_url', '_nonce' ); $from = Utils::get_super_global_value( $_POST, 'from' ) ?? ''; $to = Utils::get_super_global_value( $_POST, 'to' ) ?? ''; try { $results = Utils::replace_urls( $from, $to ); wp_send_json_success( $results ); } catch ( \Exception $e ) { wp_send_json_error( $e->getMessage() ); } } |
Two more AJAX accessible functions in the same file also lack that.
So clearly Elementor still isn’t making sure to do basic security, while as we noted before claiming that “[o]ur developers are highly trained to write safe, secure code”.
You Need to be A Customer to Report Security Issues?
Once we noticed that issue, we started trying to find out how we could get in touch with Elementor about this. Elementor has a Security FAQ, which lacks any information on how to report security issues to them. The Security page for Elementor’s GitHub project is similarly lacking information on doing that, or any information for that matter.
Elementor does have a security bug bounty program, but what we were trying to contact them about isn’t a vulnerability, so it wouldn’t be relevant to that. Another problem there is that the terms of handling things through that would be unacceptable for a provider like us, as we only are aware of vulnerabilities because of our customers and they are paying us to provide them with that type of information. And the program doesn’t allow that:
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
While it is a bit hard to find, on their contact page, they do link to an email address for reporting a security issue. It is security@elementor.com, so it doesn’t seem like there should be any confusion about what is getting reported to that, but here is the reply we got to our message with the details of the issue:
Hi there,
Thank you for contacting us.
We are currently unable to locate your Elementor Pro subscription under the email [redacated].
Please send us a ticket through your https://my.elementor.com/ dashboard so we can validate it.
Follow this guide to create a ticket from your Elementor Pro account:
https://elementor.com/help/how-to-submit-a-support-ticket/Thank you for your understanding, and I wish you a wonderful day ahead.
Best Regards,
[redacted]
Do they really require you to be a customer of a paid offering of their to report a security issue to them about their free plugin? Maybe, as we replied that there must be some mistake, but we haven’t received a response in two days.
Avoid Elementor’s Plugins
There isn’t any excuse for Elementor to not have gotten such basic security implemented in their plugins by now. It shows that they either don’t care about security or are incapable of handling the responsibility of being a plugin developer. That they can’t even handle reporting security issues to them means that there might be known vulnerabilities in the plugin that have been attempted to be reported to them but haven’t been fixed.
We would recommend avoiding their plugins, unless they can show that they have made significant changes to their handling of security.
Do you also reported it to the PatchStack (official) Vulnerability disclosure program for Elementor: https://patchstack.com/database/vdp/elementor
While Patchstack is claiming to to be the official vulnerability disclosure program for Elementor, it seems like that isn’t true, as we noted last month: https://www.pluginvulnerabilities.com/2023/12/07/digging-in-to-the-authenticated-arbitrary-file-upload-vulnerability-in-elementor/