0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Elementor 3.6.2 Remote Code Execution Vulnerability
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
Description: Insufficient Access Control leading to Subscriber+ Remote Code Execution Affected Plugin: Elementor Plugin Slug: elementor Plugin Developer: Elementor Affected Versions: 3.6.0 – 3.6.2 CVE ID: CVE-2022-1329 CVSS Score: 9.9(Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Researcher/s: Ramuel Gall Fully Patched Version: 3.6.3 The Elementor plugin for WordPress introduced an Onboarding module in version 3.6.0, designed to simplify the initial setup of the plugin. The module uses an unusual method to register AJAX actions, adding an admin_init listener in its constructor that first checks whether or not a request was to the AJAX endpoint and contains a valid nonce before calling the maybe_handle_ajax function. Unfortunately no capability checks were used in the vulnerable versions. There are a number of ways for an authenticated user to obtain the Ajax::NONCE_KEY, but one of the simplest ways is to view the source of the admin dashboard as a logged-in user, as it is present for all authenticated users, even for subscriber-level users. This means that any logged-in user could use any of the onboarding functions. Additionally, an unauthenticated attacker with access to the Ajax::NONCE_KEY could use any of the functions called from maybe_handle_ajax, though this would likely require a separate vulnerability. The function with the most severe impact was the upload_and_install_pro function. An attacker could craft a fake malicious “Elementor Pro” plugin zip and use this function to install it. Any code present in the fake plugin would be executed, which could be used to take over the site or access additional resources on the server. In addition to this functionality, a less sophisticated attacker could simply deface the site by using the maybe_update_site_name, maybe_upload_logo_image, and maybe_update_site_logo functions to change the site name and logo. Timeline March 29, 2022 – We finish our investigation and deploy a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We send our full disclosure to the plugin developer’s official security contact. April 5, 2022 – We follow up with the plugin developer’s security contact as we have not yet received a response. April 11, 2022 – We send our full disclosure to the WordPress Plugins team. April 12, 2022 – A patched version of Elementor is released. April 28, 2022 – The firewall rule becomes available to free Wordfence users. Conclusion In today’s post, we covered a Critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. If your site is using the Elementor plugin, we urge you to update immediately. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3. # 0day.today [2024-11-16] #