CVE-2022-1329

Name of the Vulnerable Software and Affected Versions Elementor Website Builder plugin for WordPress versions 3.6.0 through 3.6.2

Description The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file. This makes it possible for attackers to modify site data and upload malicious files that can be used to obtain remote code execution.

Recommendations For versions 3.6.0 through 3.6.2, update to a version that includes a fix for the missing capability check in the ~/core/app/modules/onboarding/module.php file. As a temporary workaround, consider restricting access to the AJAX actions until a patch is available.