Home / About / Threat Intelligence / WordPress Elementor plugin vulnerable to file upload attack

Overview

Over five million WordPress sites could be vulnerable to a file upload vulnerability in the Elementor website builder plugin.

Impact

An authenticated user could upload a file and execute it, granting code execution on the server.

Vulnerability Detection

Check the running version of Elementor from the WordPress Plugins page of the dashboard.

Affected Products

Elementor version 3.6.0.

Containment, Mitigations & Remediations

Update to version 3.6.3.

The researchers who published the advisory note that aside from this specific vulnerability, the plugin does not seem well written so it might be best not to use it at all.

If the provided functionality is required, then a web application firewall (WAF) could help mitigate some types of attack.

Indicators of Compromise

Malicious actors can be detected scanning for vulnerable servers by looking in HTTP logs for the following file: /wp-content/plugins/elementor/readme.txt

That doesn’t indicate a successful attack, however.

Threat Landscape

Third-party WordPress plugins are commonly found to be vulnerable and there doesn’t seem to be a lot of effort put into securing them. WordPress is a particularly targetted platform due to its prolific use. This third-party plugin is currently running on over 5 million servers, making this a desirable target for botnet creators.

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation

Further Information

5+ Million Install WordPress Plugin Elementor Contains Authenticated Remote Code Execution (RCE) Vulnerability