Yesterday, we covered a security fix issued for the 5+ million install WordPress plugin Elementor for authenticated arbitrary file upload vulnerability. That happened in version 3.18.1. Today, a second fix was released in the next version, 3.18.2. The changelog acknowledges that, “Security Fix: Addressed security weaknesses in template upload mechanism.” The new fix addresses a significant limitation of the first fix and, as far as we are aware, should fully resolve this.

The first fix restricted the ability for an attacker logged in to WordPress as a user with the Contributor role or above, to use directory traversal to move a file uploaded to outside of the intended directory for it, which has randomized name. That would restrict the attacker from at least easily accessing the file. It didn’t limit what types of files they could upload through the relevant code. The second fix puts in place that restriction.

The change this time was made in the function save_base64_to_tmp_file() in the file /core/files/uploads-manager.php. The new code added to the beginning of the function checks if the file being uploaded has allowed file extension:

496
497
498
499
500
501
502

private function save_base64_to_tmp_file( $file, $allowed_file_extensions = null ) {
	$file_extension = pathinfo( $file['fileName'], PATHINFO_EXTENSION );
	$is_file_type_allowed = $this->is_file_type_allowed( $file_extension, $allowed_file_extensions );
 
	if ( is_wp_error( $is_file_type_allowed ) ) {
		return $is_file_type_allowed;
	}

Elsewhere in the plugin, the extensions that are allowed are limited to json and zip:

463

$upload_result = Plugin::$instance->uploads_manager->handle_elementor_upload( $data, [ 'zip', 'json' ] );

So this removes the ability to upload arbitrary files.

As we have been saying since April, we would recommend not using plugins from Elementor based on repeated incidents of poor security handling.

Plugin Security Scorecard Grade for Elementor

See issues causing the plugin to get less than A+ grade