Elementor Page Builder versions less than 1.8 contain a major security issue that allows logged in users (not just admin) unrestricted access to the Elementor specific backend functions. This allows unrestricted importing/exporting of content and potentially complete site compromise. The WordPress.org repository claims there are over 300,000 active installations.
If you are running an older version, upgrade immediately. The Elementor team did not appear to be planning any disclosure or notification and the only indication in the changelog of any potential issues is “Fix! – Patched nonce validation for all library actions” along with additional nonce related fixes over the next few days to deal with bugs related to this patching.
Due to the large number of installs I will not describe the exact steps to exploit these methods. Many of the AJAX actions are accessible to any logged in user. Some of the actions are protected with the ‘elementor-editing’ nonce, unfortunately that was leaked to any logged in user via the WordPress heartbeat.
- 10/17/2017 Sent initial contact inquiry
- 10/18/2017 Received response and disclosure sent
- 10/26/2017 Followup message sent to check status
- 11/7/2017 Version 1.8.0 released
Shortcode Injection Vulnerability
Ultimate Member versions older than 1.3.84 allow unauthenticated users to execute arbitrary WordPress shortcodes via AJAX. The vulnerable code exists as far back as version 1.0.0 when the plugin was first published. If you are using any version of this plugin, update immediately. At this time, the plugin revision notes do not address this vulnerability nor has the developer released any information related to this issue.
The default WordPress shortcodes are relatively secure but other installed plugins often include insecure shortcodes, including the Ultimate Member plugin. Some of the Ultimate Member shortcodes are documented at http://docs.ultimatemember.com/article/210-ultimate-member-shortcodes.
Executing arbitrary shortcodes
Ultimate Member adds the ‘ultimatemember_frontend_modal’ AJAX action which is accessible to anyone whether they are logged in or not. This allows passing arbitrary arguments to the do_shortcode() function and returns the results.
Include arbitrary PHP files
Using directory traversal and the ‘ultimatemember_account’ shortcode PHP files accessible on the host can be included. The following function is what is called when the ‘ultimatemember_account’ shortcode is executed.
Adding a template argument to the shortcode allows the PHP file to be included.
For example the following shortcode call allows viewing some user stats from the dashboard:
If a method could be discovered that allows uploading arbitrary PHP code, this could be used to execute that code.
- 2/27/2017 Notified developer of issue
- 3/9/2017 Second notification to developer
- 3/10/2017 ‘Clean up’ commit on GitHub
- 3/10/2017 Developer reply saying they removed the offending code
- 4/17/2017 5:30AM PST Version 1.3.84 tagged in GitHub
- 4/17/2017 6:34PM PST Version 1.3.84 released on wordpress.org
Back in March 2016 Ninja Forms version 3.0 started to roll out, there was an unknown vulnerability at the time that allowed unauthenticated end users to inject arbitrary WordPress shortcodes via form field submissions. The issue was resolved in version 3.0.31.
The default WordPress shortcodes do not provide much further access and accessing the [ninja-forms] shortcode would only allow an attacker to preview un-published forms. While these shortcodes could allow leverage for further attacks by default this is a very minor issue, though if a site has additional plugins installed that provide shortcodes then this vulnerability could be leveraged to execute those.
- 10/27/2016 First contact to vendor regarding issue
- 10/27/2016 Received vendor support reply saying they will forward on the issue
- 11/9/2016 Version 3.0.15 released
- 11/10/2016 Second contact regarding issue
- 11/21/2016 Version 3.0.16 released
- 11/22/2016 Third contact regarding issue
- 12/6/2016 Version 3.0.18 released
- 2/28/2016 Version 3.0.30 released
- 3/2/2017 Fourth attempt regarding issue
- 3/3/2017 Reply from developer saying they see the issue and will be resolved
- 3/7/2017 Version 3.0.31 released