CVE-2022-1329 HIGH

CVE-2022-1329: Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution

Vendor Elemntor
Product Elementor Website Builder
Weakness CWE-862 · Missing authorization
Published April 19, 2022
Last update February 7, 2025
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files that can be used to obtain remote code execution, in versions 3.6.0 to 3.6.2.

Key dates

02Disclosure timeline

April 19, 2022 CVE published
February 7, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-25309 WordPress PublishPress Authors plugin <= 4.10.1 - Broken Access Control vulnerability CVE-2025-69349 WordPress RSS Feed Widget plugin <= 3.0.2 - Broken Access Control vulnerability CVE-2026-24605 WordPress X Addons for Elementor plugin <= 1.0.23 - Broken Access Control vulnerability CVE-2026-49054 WordPress The Post Grid plugin <= 7.9.2 - Broken Access Control vulnerability CVE-2026-32394 WordPress PublishPress Capabilities plugin <= 2.31.0 - Broken Access Control vulnerability