• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Critical RCE Vulnerability in Elementor WordPress Plugin

April 13, 2022Antony Garand

FacebookTwitterSubscribe
Security Risk: High

Exploitation Level: Easy

CVSS Score: 9.9

Vulnerability: Remote code execution (RCE)

Patched Version: 3.6.3

On April 12th, an important security update was released for the Elementor plugin patching a critical remote code vulnerability which allows all authenticated users, including subscribers, to upload and execute arbitrary PHP code on a vulnerable website.

This vulnerability, identified as CVE-2022-1329, is extremely severe. With over 5 million active installations of Elementor at the time of writing, a significant number of websites are impacted.

WordPress websites using the Elementor plugin should patch immediately. Sucuri web application firewall users are protected from this issue.

Technical Details

Originally reported by WordFence’s Threat Intelligence Team, this critical vulnerability leverages a lack of capability checks found in vulnerable versions of the plugin.

Attackers are able to upload malicious code as a fake plugin archive file and use the vulnerable upload_and_install_pro action to execute their payload in the compromised environment. By exploiting this vulnerability, attackers can easily take over the site or access resources on the web server.

Update Elementor

To protect against this vulnerability, we strongly encourage Elementor users to update their plugin to a version 3.6.3 or greater as soon as possible.

Users who are unable to update immediately can leverage the Sucuri Firewall to virtually patch their website against all known vulnerabilities.

FacebookTwitterSubscribe

Categories: Security Advisory, Vulnerability Disclosure, WordPress Security

About Antony Garand

Antony Garand is Sucuri's Threat Researcher who joined the company in 2019. Antony's main responsibilities include researching vulnerabilities and dissecting malware. His professional experience covers many years of security research and development. When Antony isn't breaking stuff, you might find him at the dog park or learning new skills. Connect with him on Twitter

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.