Easy Elements for Elementor Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in the Easy Elements for Elementor – Addons & Website Templates WordPress plugin, affecting all versions through 1.4.5. The issue arises in the 'easyel_handle_register()' function, where the 'wp_ajax_nopriv_eel_register' AJAX handler processes the 'custom_meta' POST array without proper validation. This allows unauthenticated attackers to overwrite the 'wp_capabilities' user meta key, granting administrator privileges to newly registered users. Exploitation requires user registration to be enabled and the presence of a page with the Login/Register widget, which exposes the necessary nonce for exploitation.

Impact

Exploitation allows unauthenticated users to register accounts with administrative privileges.

Reproduction

To reproduce this vulnerability, ensure that user registration is enabled on the WordPress site. Then, access a page that includes the Login/Register widget. This widget will publish the 'easy_elements_nonce' in the page DOM, where it can be accessed by unauthenticated visitors. Once the nonce is available, send a POST request to the 'wp_ajax_nopriv_eel_register' AJAX handler, including the 'custom_meta' array with a key-value pair that overwrites the 'wp_capabilities' meta key, granting administrator rights to the new user account.