Arbitrary File Upload vulnerability in versions <= 3.18.1

And on a side note, since I know for once devs might read me, I’ll allow myself some remarks about Elementor which is one of the most problematic plugins I’ve ever hosted as a web hosting provider.

Your heavy code ruins performance on websites and servers to a factor of 5 to 10 compared to native themes. It also alters websites security quite often. All that while breaking WordPress’s design and philosophy, making websites dependent on your plugin to even display, with no options for a native migration.

You shall make an effort to at least clean and optimize your code. Since it is still used on so many websites regardless of its dark sides, you have a huge responsibility in taking care of it in ways that actually matter to the well being of users, hosting providers, internet and ecology.

I know your plugin’s popularity makes it a better target for security analysis and attacks, but for sure, the complexity of your code and the heavy mess it is makes it harder to maintain, analyze and secure. You should clean and optimize your code so that it doesn’t make websites 10 times slower anymore and use 10 times more resources on servers anymore, resulting in having a poor carbon footprint due to poor optimization on 5 million websites. Because that results in more servers needed and more heavily used ones compared to native or competing solutions. I’m curious to measure the carbon footprint of your plugin, I’ve been wondering how tremendous it may be.

As a leading plugin editor, you should contribute to making internet a better place, not a caricature of capitalism where easy paths are taken even if they’re bad in every aspect.

Alternatively, you could also embrace Gutenberg and Full Site Editing and make nice blocks that do exactly the same but generate direct clean HTML/CSS/JS and don’t slow down websites as much. If you don’t follow the flow, you’ll probably vanish anyway as everyone including Elementor users is following and considering FSE/Gutenberg as it evolves.

Whether you agree with that or not, you should still clean, simplify, optimize and secure your code, since it’ll make your dev’s life easier and your users happier and more incline to buying the pro versions, while helping hosting providers reduce costs, and the whole planet’s ecosystem reduce its resource consumption.

Thanks for reading, and good luck to anyone working on or using Elementor.

We shall note that latest changelog for 3.18.1 says: “Fix: Improved code security enforcement in File Upload mechanism”

So maybe they did fix this issue, but didn’t report to vulnerability organisms in time. Or maybe they fixed another unrelated issue.

Only Elementor team can tell us, but are they even visiting this forum? I couldn’t find any official answer on this forum on the latest’s week posts. Most issues don’t even have any answer, people seem to solve their issue themselves and report back for others.

Patchstack headline reports  <= 3.18.0 but the detail says  <= 3.18.1. Confusing!!

• This reply was modified 11 months, 3 weeks ago by caordawebsol.

@caordawebsol It said
versions <= 3.18.1

Now it is more precise and says:
versions 3.3.0 to 3.18.1

I don’t see any mention of 3.18.0, maybe the vulnerability info got updated since. Otherwise don’t hesitate to put on the link.

Any case, issue is not fixed yet, we finally had an official response here: https://www.ads-software.com/support/topic/security-122/#post-17261087

Best regards

Hi,

Thank you for contacting us.

I want to share with you that our team is already aware of this and they are working on it as we speak. While I can’t share any ETA as this requires core code changes but this is taken very seriously at our end and I expect to have a patch release very soon.

Thank you for your continuous support and patience.

Regards,

Hello,

Thank you for the official answer.

However, if the plugin is still vulnerable then this isn’t a resolved issue. So please, do not mark this thread as “resolved” until the patch is out, as this could mislead users into thinking the patch is out if they don’t read carefully and just stop to the first post and topic status.

@elsatutu @amandainely as they said, there is no ETA (estimated time of arrival) so we don’t know when the patch will be released.

If you want to be safe in the meantime, you should deactivate the plugin and since this would probably break your website, you should put it in maintenance mode in the meantime, or use the occasion to switch to a native or full site editing theme, which will greatly improve your server and website’s performance and carbon footprint.

Now I do believe nobody will want to put down their websites for an undefined amount of time, so the best solution is to make sure you have a proper backup in case of a hack. And once it is patched, run a full scan with a plugin such as WordFence and check your users in order to make sure that you haven’t been hacked.

If you have sensitive data on your website but don’t want to shut it down in the meantime, then you may consider checking Patchstack, as it appears they have a “vPatch” available. I’m discovering this solution, that seems to be a tweak that you can apply to mitigate the vulnerability as documented here https://docs.patchstack.com/docs/patchstack-modules
However it is a paid option, and if I understand their pricing well, it would appear that vPatching is available from 9$/month per 10 websites. https://patchstack.com/pricing/ Maybe Elementor could subscribe in order to analyze the patch and implement it faster than they seem to be able to diagnose their own issue…

@hurikhan for a rollback to be useful, please note that you must use a version prior to Elementor 3.3.0 which is now the known version to have introduced this vulnerability. However by doing so you will likely re-introduce other vulnerabilities that have been fixed since… So a rollback does not seem to be a good solution here.

Hello.

Just wanted to inform you that this issue has been resolved (ref: https://www.ads-software.com/plugins/elementor/#developers). We truly appreciate your patience as we worked to resolve it.

Kind Regards,

Hello.

Just wanted to inform you that this issue has been resolved (ref: https://www.ads-software.com/plugins/elementor/#developers). We truly appreciate your patience as we worked to resolve it.

Kind Regards,