CVE-2022-1329
Summary
| CVE | CVE-2022-1329 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-04-19 21:15:00 UTC |
| Updated | 2023-05-26 19:42:00 UTC |
| Description | The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2. |
Risk And Classification
Problem Types: CWE-434 | CWE-862
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Elementor | Elementor Website Builder | All | All | All | All |
| Application | Elementor | Website Builder | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress Elementor 3.6.2 Shell Upload ≈ Packet Storm | MISC | packetstormsecurity.com | |
| www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-conta... | MISC | www.pluginvulnerabilities.com | |
| Changeset 2708766 for elementor/trunk/core/app/modules/onboarding/module.php – WordPress Plugin Repository | MISC | plugins.trac.wordpress.org | |
| Critical Remote Code Execution Vulnerability in Elementor | MISC | www.wordfence.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Ramuel Gall, Wordfence
Legacy QID Mappings
- 730450 WordPress Plugin Elementor Remote Code Execution (RCE) Vulnerability