{"id":11757,"date":"2023-04-02T09:56:43","date_gmt":"2023-04-02T09:56:43","guid":{"rendered":"https:\/\/nieuw.wpprovider.nl\/vulnerability-discovered-in-elementor-pro-3-11-6\/"},"modified":"2024-08-14T04:41:41","modified_gmt":"2024-08-14T04:41:41","slug":"vulnerability-discovered-in-elementor-pro-3-11-6","status":"publish","type":"post","link":"https:\/\/nieuw.wpprovider.nl\/en\/vulnerability-discovered-in-elementor-pro-3-11-6\/","title":{"rendered":"Vulnerability discovered in Elementor Pro 3.11.6"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Perhaps you received this email from Elementor yesterday regarding a critical security vulnerability discovered in Elementor Pro versions 3.11.6? This vulnerability can be exploited if WooCommerce is also installed on your website. it contained the following message: <\/p>\n

Email message from Elementor<\/h2>\n

The message below is translated from English into Dutch.<\/p>\n

Dear customer,<\/em><\/p>\n

We would like to inform you about a critical security vulnerability discovered in Elementor Pro versions 3.11.6 and earlier versions. This vulnerability can be exploited if WooCommerce is also installed on your website. <\/em><\/p>\n

To protect your website and ensure security, we strongly recommend that you update your Elementor Pro plugin to the latest version immediately. Follow these simple steps to complete the update: <\/em><\/p>\n

    \n
  • Log in op uw WordPress Admin Dashboard.<\/em><\/li>\n
  • Go to ‘Plugins’ in the left menu.<\/em><\/li>\n
  • Find Elementor Pro or PRO Elements in the list of installed plugins.<\/em><\/li>\n
  • Click the ‘Update Now’ button to start the update process.<\/em><\/li>\n<\/ul>\n

    Once the update is completed, your website will be protected from the security vulnerability and you can continue using Elementor Pro with confidence. If you encounter any problems or have any questions during the update process, please feel free to contact our support team. We are ready to help you and ensure that your website remains secure. <\/em><\/p>\n

    We apologize for any inconvenience this may cause and appreciate your prompt attention to this matter. Keeping your website secure is our top priority and we continue to work hard to address any security issues and keep you informed. <\/em><\/p>\n

    Thank you for choosing our services and for your cooperation in maintaining a safe online environment.<\/em><\/p>\n

    Kind regards, Dream-Theme team.<\/em><\/p>\n

    What does this vulnerability mean?<\/h2>\n

    When Elementor Pro is installed on a site with WooCommerce enabled, the component “elementor-pro\/modules\/woocommerce\/module.php” is loaded, which logs a number of AJAX actions:<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t
    \n\t\t\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\n\t\t\t\t\t\/**\n * Register Ajax Actions.\n *\n * Registers ajax action used by the Editor js.\n *\n * @since 3.5.0\n *\n * @param Ajax $ajax\n *\/\npublic function register_ajax_actions( Ajax $ajax ) {\n   \/\/ `woocommerce_update_page_option` is called in the editor save-show-modal.js.\n   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );\n   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-130f57b e-flex e-con-boxed e-con e-parent\" data-id=\"130f57b\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d13d475 elementor-widget elementor-widget-text-editor\" data-id=\"d13d475\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>One of them is pro_woocommerce_update_page_option, which is used by Elementor&#8217;s built-in editor. It calls update_option, a function that can be used to change WordPress options in the database, with two user inputs: <\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4ead971 e-flex e-con-boxed e-con e-parent\" data-id=\"4ead971\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a9441d6 elementor-widget elementor-widget-code-highlight\" data-id=\"a9441d6\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>\/**\n * Update Page Option.\n *\n * Ajax action can be used to update any WooCommerce option.\n *\n * @since 3.5.0\n *\n * @param array $data\n *\/\npublic function update_page_option( $data ) {\n   update_option( $data['option_name'], $data['editor_post_id'] );\n}<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4e31dd0 e-flex e-con-boxed e-con e-parent\" data-id=\"4e31dd0\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ddaae98 elementor-widget elementor-widget-text-editor\" data-id=\"ddaae98\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>This feature is intended to allow the administrator or shop manager to update some specific WooCommercerce options, but user input is not validated and the feature lacks a capacity check to limit access to a privileged user.<\/p>\n<p>Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. This is located in the &#8220;elementor\/core\/common\/modules\/ajax\/module.php&#8221; script of the free version (which is required to run Elementor Pro): <\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5aaa2bc e-flex e-con-boxed e-con e-parent\" data-id=\"5aaa2bc\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-876ab57 elementor-widget elementor-widget-code-highlight\" data-id=\"876ab57\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>\/**\n * Handle ajax request.\n *\n * Verify ajax nonce, and run all the registered actions for this request.\n *\n * Fired by `wp_ajax_elementor_ajax` action.\n *\n * @since 2.0.0\n * @access public\n *\/\npublic function handle_ajax_request() {\n   if ( ! $this->verify_request_nonce() ) {\n      $this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )\n         ->send_error( Exceptions::UNAUTHORIZED );\n   }\n   ...<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e8a0c70 e-flex e-con-boxed e-con e-parent\" data-id=\"e8a0c70\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8a9c3a5 elementor-widget elementor-widget-text-editor\" data-id=\"8a9c3a5\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>We can see that it contains a nonce check that could potentially prevent bad actors from exploiting the vulnerability. But the nonce and all JS code associated with it is loaded via the admin_enqueue_scripts hook in &#8220;elementor\/core\/common\/app.php&#8221;: <\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0623645 e-flex e-con-boxed e-con e-parent\" data-id=\"0623645\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-052234e elementor-widget elementor-widget-code-highlight\" data-id=\"052234e\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>add_action( 'admin_enqueue_scripts', [ $this, 'register_scripts' ] );\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-699afeb e-flex e-con-boxed e-con e-parent\" data-id=\"699afeb\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fccfa52 elementor-widget elementor-widget-text-editor\" data-id=\"fccfa52\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>So it leaks into the source of the page to all logged in users:<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-94f3d2b e-flex e-con-boxed e-con e-parent\" data-id=\"94f3d2b\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-25d5f50 elementor-widget elementor-widget-image\" data-id=\"25d5f50\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"693\" height=\"361\" src=\"https:\/\/nieuw.wpprovider.nl\/wp-content\/uploads\/elementor-3.11.6-vulnerability-01.png\" class=\"attachment-large size-large wp-image-6455\" alt=\"Kwetsbaarheid ontdekt in Elementor Pro\" srcset=\"https:\/\/nieuw.wpprovider.nl\/wp-content\/uploads\/elementor-3.11.6-vulnerability-01.png 693w, https:\/\/nieuw.wpprovider.nl\/wp-content\/uploads\/elementor-3.11.6-vulnerability-01-300x156.png 300w\" sizes=\"(max-width: 693px) 100vw, 693px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-fada154 e-flex e-con-boxed e-con e-parent\" data-id=\"fada154\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-16859f5 elementor-widget elementor-widget-text-editor\" data-id=\"16859f5\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>An authenticated attacker could exploit the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to &#8220;administrator&#8221;, changing the administrator email address (admin_email), or, as shown below, redirect all traffic to an external malicious website by changing the site URL, among other things:<\/p><pre>MariaDB [example]&gt; SELECT * FROM `wp_options` WHERE `option_name`='siteurl';\n+-----------+-------------+------------------+----------+\n| option_id | option_name | option_value     | autoload |\n+-----------+-------------+------------------+----------+\n|         1 | siteurl     | https:\/\/slechteurl.nl| yes      |\n+-----------+-------------+------------------+----------+\n1 row in set (0.001 sec)<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0bd8c01 elementor-widget elementor-widget-text-editor\" data-id=\"0bd8c01\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Because the vulnerable component requires WooCommerce to be installed, an unauthenticated user can create a WooCommerce customer account, log in, and also exploit the vulnerability (WooCommerce customers can gain access to the backend by adding wc-ajax=1 to the query , for example https:\/\/example.com\/wp-admin\/?wc-ajax=1).<\/p>\n<p>The vulnerability was discovered and reported to the authors on March 18, 2023, and a new version 3.11.7 was released on March 22, 2023.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7cb6fa4 elementor-widget elementor-widget-text-editor\" data-id=\"7cb6fa4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Solution for the WP Provider<\/h2>\n<p>You don&#8217;t have to do anything if you use Managed Hosting via WP Provider, your Elementor Pro version 3.11.6 has been updated to the latest version.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4ce1c05 elementor-widget elementor-widget-text-editor\" data-id=\"4ce1c05\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Solution for non WP Provider users<\/h2>\n<p>The solution is to update to the newer Elementor Pro version 3.11.7 as soon as possible. Always check whether newer versions are compatible with the plugins and themes used. <\/p>\n<p>If you currently host multiple WordPress websites and you do not do this through us, you can use one of our WordPress bash scripts which can be found on our Github page.<\/p>\n<p>For example, use our bash script to see which websites are still running on 3.11.6: https:\/\/github.com\/wpprovider\/bash-scripts\/blob\/main\/check-elementor-pro-version.sh<\/p>\n<p>And to make it even easier, the following bash script to also update these websites to 3.11.7: https:\/\/github.com\/wpprovider\/bash-scripts\/blob\/main\/update-specific-elementor-pro- version.sh<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fe3e07e elementor-widget elementor-widget-text-editor\" data-id=\"fe3e07e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Learn more about this vulnerability directly <a href=\"https:\/\/blog.nintechnet.com\/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin\/\" target=\"_blank\" rel=\"noopener\">from the source. <\/a><\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Perhaps you received this email from Elementor yesterday regarding a critical security vulnerability discovered in Elementor Pro versions 3.11.6? This vulnerability can be exploited if WooCommerce is also installed on your website. it contained the following message: Email message from Elementor The message below is translated from English into Dutch. Dear customer, We would like [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":10899,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[12],"tags":[],"class_list":["post-11757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-geen-onderdeel-van-een-categorie"],"acf":[],"_links":{"self":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts\/11757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/comments?post=11757"}],"version-history":[{"count":1,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts\/11757\/revisions"}],"predecessor-version":[{"id":11758,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/posts\/11757\/revisions\/11758"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/media\/10899"}],"wp:attachment":[{"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/media?parent=11757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/categories?post=11757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nieuw.wpprovider.nl\/en\/wp-json\/wp\/v2\/tags?post=11757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}