Login

Tag Archives: Elementor

Plugin Security Scorecard Grade for Elementor

Checked on August 29, 2024
F

See issues causing the plugin to get less than A+ grade

25 Oct 2024

WP Tavern’s Nathan Wrigley Highlights Duo of Companies Handling Security Badly as Example of Providing Better Security Outcomes

A new legal filing from lawyers representing Matt Mullenweg claims that he loves the WordPress community. That is hard to square with so much of what he does. For more than a decade, he has run a WordPress news outlet that fails to follow the basic journalistic standard of disclosing when the news outlet is covering the owner of the news outlet and related parties. That news outlet being the WP Tavern, which is also included in the WordPress news feed that he controls without a disclosure of the situation either. In addition to the news coverage, the WP Tavern has a podcast done by Nathan Wrigley. He isn’t someone who has shown any concern for the accuracy of what he covers. The latest podcast episode shows that off.

Before we get in to the podcast episode, let’s step back in time to April 2022. That month, hackers started targeting a vulnerability in the very popular Elementor plugin. The vulnerability allowed arbitrary code to be run on the website by anyone logged in to WordPress with any user role that had access to the admin area of WordPress. Normally anyone logged in to WordPress has access to the admin area. That vulnerability was caused in part by Elementor failing to implement a very basic security check to make sure only a user with an intended capability could access functionality. Another part of the cause was that Elementor was leaking a security nonce to users that shouldn’t have had access to it. [Read more]

28 Aug 2024

WordPress Plugins Failing to Properly Uninstall Leads to Sensitive Information Being Left Behind

We recently completed a security review of a WordPress plugin we were planning to use on our website. We ended up not using the plugin because of an issue unrelated to the security review. While working on the security review, we ran into an issue that hasn’t been checked for as a part of our security reviews, but in hindsight, is something that should be checked on. It turns out that it is an issue that impacts many WordPress plugins, including a couple of plugins with 10+ million installs.

We will be releasing the results of the review once the developer has had a chance to respond to the issues we found. So without getting in to the specifics of the issue in the plugin, what we found was that the plugin stores sensitive information as WordPress options (settings) and doesn’t remove it when the plugin is uninstalled. The sensitive information are credentials for an API. Not only is that a security issue, it goes against the “basics” of how WordPress plugins are supposed to operate. The Uninstall Methods section of the Plugin Handbook states that “When your plugin is uninstalled, you’ll want to clear out any plugin options and/or settings specific to the plugin, and/or other database entities such as tables.” It also defines when plugin is uninstalled: “A plugin is considered uninstalled if a user has deactivated the plugin, and then clicks the delete link within the WordPress Admin.” [Read more]

12 Dec 2023

How WordPress Firewall Plugins Could Have Stopped Recently Fixed Vulnerability in Elementor

Last week, we took a look at the first and second attempt to fix an authenticated arbitrary file upload vulnerability in the 5+ million install WordPress plugin Elementor. With a situation like that, one of the questions for security providers is did their security solutions protect against the issue before it was fixed. With our own Plugin Vulnerabilities Firewall plugin, we found that it did because exploitation of the vulnerability involved directory traversal. As we found recently, while looking into another vulnerability that could be stopped the same way, only two other security plugins could stop it that way. More could have if their protection was more robust, as eight plugins had detection for that issue, but only three detected it in POST data, which was where this was with the payload for the Elementor vulnerability.

Another method to detect this would be to detect PHP code being included in the data to be saved to the file. There are a couple of issue with doing that. First, the data is base64 encoded, so you would have to decode it and then check for something that tells you it is PHP code. Second, the data was part of JSON formatted data, so you need to deal with that as well. [Read more]

8 Dec 2023

Elementor Issues Second Fix for Authenticated Arbitrary File Upload Vulnerability

Yesterday, we covered a security fix issued for the 5+ million install WordPress plugin Elementor for authenticated arbitrary file upload vulnerability. That happened in version 3.18.1. Today, a second fix was released in the next version, 3.18.2. The changelog acknowledges that, “Security Fix: Addressed security weaknesses in template upload mechanism.” The new fix addresses a significant limitation of the first fix and, as far as we are aware, should fully resolve this.

The first fix restricted the ability for an attacker logged in to WordPress as a user with the Contributor role or above, to use directory traversal to move a file uploaded to outside of the intended directory for it, which has randomized name. That would restrict the attacker from at least easily accessing the file. It didn’t limit what types of files they could upload through the relevant code. The second fix puts in place that restriction. [Read more]

7 Dec 2023

Digging In To The Authenticated Arbitrary File Upload Vulnerability in Elementor

Yesterday, an update was released for the 5+ million install WordPress plugin Elementor that has a changelog suggesting a security issue was addressed, “Fix: Improved code security enforcement in File Upload mechanism.” While looking into this, we found that Elementor appears to have multiple issues. We found the plugin did have an arbitrary file upload vulnerability, which you could argue is now fixed or not. Based on what we know now, we would say it is fixed, but there is still insecurity that remains, but there may be something we are missing. (Update 12/8: Elementor has released a second fix to address the remaining insecurity.) As we have been saying since April, we would recommend not using plugins from Elementor based on repeated incidents of poor security handling.

Other Providers’ Claims

It appears based on that changelog, the WordPress security provider Wordfence claimed there was a fixed or unfixed authenticated (Contributor+) arbitrary file upload to remote code execution via template import vulnerability in the plugin, which they described this way: [Read more]

12 May 2023

Latest Elementor Version Fixes Privilege Escalation Vulnerability Issues

Last month, we contacted the developer of the 5+ million install (and maybe 13 million install) WordPress plugin Elementor about yet another issue with them failing to properly restrict access to the plugin’s functionality to only users that are intended to access it. The only response we got back was asking a subscription to their Elementor Pro plugin. That issue still hasn’t been fixed, but the latest version of the plugin, 3.13.2, did address some other instances of the issue that led to at least minor vulnerabilities.

The only changelog information given on the fix made was “Security Fix: Addressed security weaknesses in access management related functions”. Looking into this, so that we could properly inform the one or more of our customers using that plugin, we found that user capability checks were added in several locations. One example of that involves the file /modules/safe-mode/module.php, where the ajax_enable_safe_mode had such a capability check added to limit enabling a safe mode for the plugin to those with install_plugins capability (which normally only Administrators have): [Read more]

28 Apr 2023

Not Really a WordPress Plugin Vulnerability, Week of April 28

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) SQL Injection via ‘replace_urls’ in Elementor

Yesterday, we issued an advisory warning about using plugins developed by Elementor, in part based on a security issue we found still is in the plugin. We found that while reviewing a security change being made in the latest version of the plugin. Wordfence claimed that the change fixed a vulnerability: [Read more]

27 Apr 2023

WordPress Plugin Developer Security Advisory: Elementor

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

12 Apr 2022

5+ Million Install WordPress Plugin Elementor Contains Authenticated Remote Code Execution (RCE) Vulnerability

Late last week, third-party data we monitor showed what was possibly a hacker probing for usage of a WordPress plugin Elementor, which has 5+ million active installs according to WordPress, by the requesting this file:

/wp-content/plugins/elementor/readme.txt [Read more]