Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution
Description
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elementor Website Builder 3.6.0-3.6.2 for WordPress has a missing capability check in the onboarding module allowing unauthenticated attackers to execute AJAX actions leading to remote code execution.
Vulnerability
The Elementor Website Builder plugin for WordPress versions 3.6.0 to 3.6.2 contains a missing capability check in the ~/core/app/modules/onboarding/module.php file. This flaw allows unauthorized execution of several AJAX actions, enabling attackers to modify site data and upload malicious files without authentication. The vulnerable code path is reachable by any unauthenticated user due to the absence of permission verification [1][3].
Exploitation
An attacker can exploit this vulnerability by sending crafted HTTP requests to the vulnerable AJAX endpoints without needing any prior authentication or user interaction. The attacker can then upload arbitrary files, including PHP shells, by leveraging the missing capability checks. No special network position is required beyond normal web access [3].
Impact
Successful exploitation allows an attacker to modify site data, upload malicious files, and achieve remote code execution on the WordPress installation. This leads to full compromise of the affected site, including potential data theft, defacement, or further propagation of attacks [1].
Mitigation
The vulnerability was patched in version 3.6.3. Users should update to the latest version of Elementor (currently 4.0.9) immediately [1][3]. There are no known workarounds; applying the update is the only recommended mitigation.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 3.6.0-3.6.2
- elemntor/Elementor Website Builderv5Range: 3.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing capability check in the AJAX handler allows unauthenticated attackers to execute privileged onboarding actions."
Attack vector
An unauthenticated attacker sends a crafted POST request to any WordPress admin AJAX endpoint that includes an `action` parameter matching one of the onboarding actions (e.g., `elementor_upload_and_install_pro`, `elementor_update_site_name`, `elementor_upload_site_logo`) along with a valid `_nonce` value. The `admin_init` hook in `module.php` [ref_id=1] only verifies the nonce and the `manage_options` capability, but the nonce is created with `wp_create_nonce('onboarding')` and is accessible to unauthenticated users via the onboarding settings endpoint. This enables an attacker to upload arbitrary ZIP files (which are installed as plugins via `Plugin_Upgrader`), upload SVG or other image files, change the site name and logo, activate the Hello Elementor theme, and opt the site into usage data sharing — all without authentication.
Affected code
The vulnerable code is in `~/core/app/modules/onboarding/module.php` [ref_id=1], specifically in the `__construct()` method's `admin_init` AJAX handler and the `maybe_handle_ajax()` method which dispatches actions like `elementor_upload_and_install_pro`, `elementor_upload_site_logo`, `elementor_update_site_name`, `elementor_update_site_logo`, `elementor_update_data_sharing`, `elementor_activate_hello_theme`, and `elementor_update_onboarding_option`.
What the fix does
The patch shown in the changeset [ref_id=1] adds a `current_user_can('manage_options')` capability check inside the `admin_init` AJAX handler before calling `maybe_handle_ajax()`. The original code already had this check, but the vulnerability existed in versions 3.6.0 to 3.6.2 where this capability check was missing from the AJAX handler entirely. The fix ensures that only authenticated users with administrator-level permissions can trigger the onboarding AJAX actions, preventing unauthenticated modification of site data and arbitrary file uploads.
Preconditions
- configWordPress site must have Elementor plugin version 3.6.0 to 3.6.2 installed and activated.
- inputAttacker must obtain a valid nonce, which is exposed to unauthenticated users via the onboarding settings endpoint.
- networkAttacker must be able to send POST requests to the WordPress admin-ajax.php endpoint.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.htmlmitre
- plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.phpmitre
- www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/mitre
- www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/mitre
News mentions
0No linked articles in our index yet.