LA-Studio Element Kit for Elementor < 1.5.6.3 - Missing Authorization
Description
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 1.5.6.3 (exclusive). This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<1.5.6.3Source Code
WordPress.org SVNThis research plan outlines the steps to investigate and exploit a Missing Authorization vulnerability in the **LA-Studio Element Kit for Elementor** plugin (versions < 1.5.6.3). ## 1. Vulnerability Summary The **LA-Studio Element Kit for Elementor** plugin fails to implement proper authorization c…
Show full research plan
This research plan outlines the steps to investigate and exploit a Missing Authorization vulnerability in the LA-Studio Element Kit for Elementor plugin (versions < 1.5.6.3).
1. Vulnerability Summary
The LA-Studio Element Kit for Elementor plugin fails to implement proper authorization checks (e.g., current_user_can) on one or more of its AJAX handlers. This allows an unauthenticated attacker to trigger administrative functions by sending a request to admin-ajax.php. Given the CVSS score of 5.3 (Integrity impact), the vulnerability likely allows modifying plugin settings or enabling/disabling plugin features.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Method: POST
- Action: Likely
lastudio_element_kit_save_settingsorlastudio_kit_save_extensions(inferred). - Authentication: None required (unauthenticated).
- Preconditions: The plugin must be active.
3. Code Flow (Inferred Investigation)
The research agent should first locate the registration of the vulnerable AJAX handler.
- Registration: Search for AJAX actions registered for unauthenticated users:
grep -r "wp_ajax_nopriv_" wp-content/plugins/lastudio-element-kit/ - Handler Identification: Look for a handler that performs sensitive operations (like
update_option) and lacks a capability check.- Target File: Likely
includes/class-ajax.phporincludes/admin/class-admin.php. - Vulnerable Pattern:
add_action('wp_ajax_nopriv_lastudio_element_kit_save_settings', 'handler_function'); function handler_function() { // If no current_user_can('manage_options') check is present... $data = $_POST['settings']; update_option('lastudio_element_kit_settings', $data); }
- Target File: Likely
- Sink: The sink is typically
update_option()orupdate_site_option().
4. Nonce Acquisition Strategy
If the function calls check_ajax_referer or wp_verify_nonce, a nonce is required.
- Identify Action String: Find the
wp_create_noncecall in the source code to see the action string (e.g.,lastudio-element-kit-nonce). - Identify Localization: Look for
wp_localize_scriptto find where the nonce is exposed to the frontend.- Search:
grep -r "wp_localize_script" wp-content/plugins/lastudio-element-kit/ - Example Variable:
lastudio_element_kit_admin_varsorla_element_kit_settings.
- Search:
- Extraction Steps:
- The plugin likely loads its scripts in the WordPress admin or on pages using its widgets.
- Action: Create a page with a LA-Studio Element Kit widget/shortcode:
wp post create --post_type=page --post_status=publish --post_content='[lastudio_element_kit_shortcode]'(Verify exact shortcode usinggrep "add_shortcode"). - Navigation: Use
browser_navigateto the created page. - Evaluation: Use
browser_evalto extract the nonce:browser_eval("window.lastudio_element_kit_admin_vars?.nonce")(Replace with actual JS object and key found in source).
5. Exploitation Strategy
Once the action and (if necessary) nonce are identified:
- Determine Payload: Analyze the handler to see what data it accepts. If it's a settings update, identify the option key.
- Construct Request:
- URL:
http://<target>/wp-admin/admin-ajax.php - Method: POST
- Content-Type:
application/x-www-form-urlencoded - Body:
action=lastudio_element_kit_save_settings&nonce=<EXTRACTED_NONCE>&settings[some_option]=malicious_value
- URL:
- Execution: Use the
http_requesttool to send the payload.
6. Test Data Setup
- Install and activate the plugin (version < 1.5.6.3).
- Identify a specific setting that can be modified (e.g., "extensions" or "active_modules").
- If a nonce is required, identify the shortcode or widget that enqueues the necessary scripts and create a public page containing it.
7. Expected Results
- Success: The server returns a
200 OKresponse, often with a JSON body:{"success":true}. - Impact: The targeted WordPress option in the
wp_optionstable is updated with the attacker-supplied value.
8. Verification Steps
After the exploit attempt, use WP-CLI to verify the change:
- Check the relevant option:
wp option get lastudio_element_kit_settings(Verify the exact option name in the source). - Verify if the "malicious_value" or updated configuration is present in the output.
9. Alternative Approaches
- Missing Nonce Check: If
check_ajax_refereris absent, the exploit is a direct POST request with no nonce. - REST API: Check if the plugin registers any REST routes via
register_rest_routethat lack apermission_callbackor use__return_true. - Settings Injection: If the plugin allows updating arbitrary options (unlikely but possible), target the
users_can_registeroption to enable site-wide registration.
Summary
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check in its AJAX handlers. This allows unauthenticated attackers to update plugin configurations by sending crafted requests to the WordPress AJAX endpoint.
Security Fix
@@ -12,6 +12,9 @@ public function save_plugin_settings() { + if ( ! current_user_can( 'manage_options' ) ) { + wp_send_json_error(); + } + check_ajax_referer( 'la-el-kit-nonce', 'security' ); $settings = $_POST['settings']; update_option( 'la_el_kit_settings', $settings ); wp_send_json_success(); }
Exploit Outline
The exploit involves sending a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to the plugin's settings-save handler (e.g., 'lastudio_element_kit_save_settings'). The attacker includes a 'settings' array containing malicious or unauthorized configuration values. Since the handler fails to verify the user's capabilities via current_user_can(), the request is processed even if the attacker is unauthenticated. If a security nonce is checked, it can typically be retrieved from the page source where the plugin's scripts are localized and enqueued.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.