This could happen if attacker uploads a PHP file in wp-content/uploads directory or any other directory that has been uploaded by user and has unvalidated file in it.
An unauthenticated attacker can upload a php file or any other file with unvalidated data in it.
This update also fixes an XSS vulnerability via unvalidated input.
An unauthenticated attacker can inject XSS via unvalidated input.
If you’re using Elementor WordPress plugin before 5.0.5 and have uploaded any file in wp-content/uploads directory or any other directory that has been uploaded by user, you must update as soon as possible.
The other issue fixed in this update is an improper permission check in WP_Http::_charset_list() when used with WP_Http::_set_response_header().
This could allow an attacker to open unauthorised access to WP_Http class via unvalidated input.
If you’re using Elementor WordPress plugin before 5.0.5 and have uploaded any file in wp-content/uploads directory or any other directory that has been uploaded by user, you must update as soon as possible.
WordPress v5.0.5
The new update fixes a cross-site scripting (XSS) vulnerability in Elementor plugin via unvalidated input.
An unauthenticated attacker can inject XSS via unvalidated input.
If you're using Elementor WordPress plugin before 5.0.5 and have uploaded any file in wp-content/uploads directory or any other directory that has been uploaded by user, you must update as soon as possible.
WP Auto Installer 2.0
This is a new release of WP Auto Installer, a plugin that automatically installs WordPress and other goodies like it.
Check the version of your WordPress plugin first
The latest version of Elementor is 5.0.5, so you must update it.
If you're using another WordPress plugin and find that it's vulnerable to CVE-2022-0320, check the version of your plugin first and update as soon as possible.
Timeline
Published on: 02/01/2022 13:15:00 UTC
Last modified on: 02/04/2022 20:40:00 UTC