⚠️ Security update: WordPress Elementor plugin <= 3.18.0 - Arbitrary File Upload vulnerability

Hi guys, this blog update concerns a newly discovered vulnerability affecting the Elementor plugin up to version 3.18.0.

The vulnerability

Hồng Quân (luk6785 at VNPT-VCI) discovered and reported this Arbitrary File Upload vulnerability in WordPress Elementor Website Builder Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has not been known to be fixed yet.

Now, before you freak out and reset your website, I’ve got some reassuring details for you:

1. This vulnerability can be exploited by users with at least Contributor privileges. This means that if you don’t have any additional user, or the user is a simple subscriber or commenter, your site has nothing to fear
2. It seems this vulnerability is only exploitable if you enabled the JSON file upload to import templates. This is disabled by default, but you have to switch it on to import single Elementor page tempaltes. Our theme Pro Radio doesn’t require to do this by default, swo you should have it off.

This means that, in order to be at risk, you need to have users in your WordPress with Contributor privileges (or higher), and they must be “bad actors” so they want to actually hack you.
Or, in the alternative, you have Contributor users in your WordPress, and they have sh*t weak passwords, your website can still be at risk. If in doubt, reset the passwords for all of your contributors and request them to set a new one.

In fact we can read, from the WordFence website:

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Remote Code Execution via file upload in all versions up to and including 3.18.0 via the template import functionality. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files and execute code on the server.

How to stay safe

By any means, we DO recommend to take those 5 actions in order to prevent any possible issue:

1. Make a backup of your website, using Softaculous, or by using any plugin as Duplicator or similar. Remember that our theme makes just a theme backup, it doesn’t include database or medias.
2. Make sure to update Elementor to the latest version 3.18.1. Also, a new patch is expected within 24 hours. (more info)
3. If you don’t have WordFence installed yet, make sure to install it, and also, we recommend enabling 2FA and disabling XMLRPC.
4. make sure your users with provilege Contributor or above, are using a strong and unique password
5. Make sure you are using the latest Pro Radio theme version 5.0.9 and the latest version of the plugins (how to update Pro Radio theme and plugins)

If you take those actions, you can feel pretty safe.

Additional tip

We noticed that many people still use “admin” as username, or the name of the website, make sure to NOT use “admin” as you user or anything similar or the name of hthe domain.

If you do, it takes about 10 minutes to get your password.
We’re not in 1998 so you should guys already know this, but is worth repeating, since we still see this happening.

Nowadays, a security as WordFence, and basic login security, are a must.

Make sure your site is up to date, and has some minimum security levels, and you won’t have any problem.

This information is worth sharing , so please feel free to repost it on your facebook and blog, some reader may thank you later.

Thank you for reading and see you at the next post!