Elementor Page Builder versions less than 1.8 contain a major security issue that allows logged in users (not just admin) unrestricted access to the Elementor specific backend functions. This allows unrestricted importing/exporting of content and potentially complete site compromise. The WordPress.org repository claims there are over 300,000 active installations.
If you are running an older version, upgrade immediately. The Elementor team did not appear to be planning any disclosure or notification and the only indication in the changelog of any potential issues is “Fix! – Patched nonce validation for all library actions” along with additional nonce related fixes over the next few days to deal with bugs related to this patching.
Due to the large number of installs I will not describe the exact steps to exploit these methods. Many of the AJAX actions are accessible to any logged in user. Some of the actions are protected with the ‘elementor-editing’ nonce, unfortunately that was leaked to any logged in user via the WordPress heartbeat.
- 10/17/2017 Sent initial contact inquiry
- 10/18/2017 Received response and disclosure sent
- 10/26/2017 Followup message sent to check status
- 11/7/2017 Version 1.8.0 released
In the quest for a good solution to allow different groups to control their own content on a WordPress site, I came across the Advanced Access Manager plugin. During a standard cursory investigation of the code I discovered that any logged in user could execute any of the AJAX actions without proper authorization.
As a normal subscriber account, I was able to give myself administrator privileges on the site and do much more.
The wordpress.org repository claims there are 50,000+ active installs of this plugin. If you are using a version <= 3.2.1, upgrade immediately.
The AJAX actions were protected only with the ‘aam_ajax’ nonce which could be leaked by passing in HTTP POST variable ‘action=aam’. The following function is called from the ‘admin_print_scripts’ action, which in turn calls the printLocalization() function which includes the nonce.
Unrestricted AJAX Actions
Once you have acquired a valid nonce, as a logged in user you can then call the ‘aam’ AJAX action.
Which will allow you to call any function in the ‘AAM_Backend_View’ class or in any class that begins with ‘AAM_Backend_’
Almost every action taken by this plugin goes through this function, so anything that an administrator can do is now accessible to anyone with basic login credentials.
- 5/11/2016 8:25pm Submitted contact form for initial contact
- 5/12/2016 5:34am Response received
- 5/12/2016 8:10am Initial Disclosure
- 6/15/2016 GitHub repository updated
- 6/20/2016 Version 3.2.2 released
Multiple critical security vulnerabilities were discovered in the Ninja Forms plugin for WordPress. If you are using a version less than 2.9.42, update immediately!
Ninja Forms is a very popular WordPress plugin to easily build forms for WordPress. The WordPress.org repository claims there are 500,000+ active installs and ninjaforms.com claims there have been over 2.38 million downloads of the plugin as of May 4th 2016. The plugin is currently listed as the 35th most popular plugin in the WordPress.org repository.
Multiple critical security vulnerabilities were discovered while doing a cursory investigation before deciding to use a plugin and disclosed to the WP Ninjas team. I did not do a full audit of the code base but I recommended the team do a complete audit before releasing an update. After they were patched, I recommended they contact the WordPress.org plugin security team to get help with forcing an automatic security update.
Version 2.9.36 to 2.9.42 are vulnerable to all of the following critical security vulnerabilities. The most sever vulnerability allows unrestricted uploading of files which could allow remote code execution on a typical webserver setup. The only condition required on a site to attack it is to already have a form enabled, which if this plugin is installed the chances of a form being in use are very high.