High severity8.8NVD Advisory· Published Apr 19, 2022· Updated Jun 17, 2026
CVE-2022-1329
CVE-2022-1329
Description
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 3.6.0-3.6.2
- elemntor/Elementor Website Builderv5Range: 3.6.0
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.phpnvdPatchRelease NotesVendor Advisory
- packetstormsecurity.com/files/168615/WordPress-Elementor-3.6.2-Shell-Upload.htmlnvdExploitThird Party AdvisoryVDB Entry
- www.pluginvulnerabilities.com/2022/04/12/5-million-install-wordpress-plugin-elementor-contains-authenticated-remote-code-execution-rce-vulnerability/nvdExploitThird Party Advisory
- www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.