CVE-2023-39157: RCE in JetElements For Elementor Plugin affects 300,000 websites

A critical vulnerability has been discovered in the JetElements For Elementor plugin that could allow an authenticated attacker to execute arbitrary code on the target website. The vulnerability, which has been assigned the CVE-2023-39157 identifier, has a CVSS score of 9.0, making it a critical risk.

JetElements is a much-lauded add-on for Elementor, offering over 40 widgets to dynamically create and manage website content. Boasting an active user base of approximately 300,000, the plugin’s popularity brings with it a heightened potential for damage when a vulnerability surfaces.

This authenticated RCE vulnerability enables a user, with a minimum role of “Contributor,” to perform arbitrary PHP function executions, leading to a potent code execution attack. Rafie Muhammad from Patchstack identified this issue, which, in the hands of a malicious actor, could enable them to run commands, establish a backdoor, and ultimately seize full control of the target website.

The vulnerability lies within the plugin’s render_meta function, which makes a call to PHP’s built-in function call_user_func_array, with the input parameters $callback and $callback_args. This function permits any function supplied in the $callback parameter to be called, and the $callback_args to be passed as arguments of the called function.

includes/shortcodes/jet-posts-shortcode.php, function render_meta()

public function render_meta( $position = '', $base = '', $context = array( 'before' ) ) {



    $config_key    = $position . '_meta';

    $show_key      = 'show_' . $position . '_meta';

    $position_key  = 'meta_' . $position . '_position';

    $meta_show     = $this->get_attr( $show_key );

    $meta_position = $this->get_attr( $position_key );

    $meta_config   = $this->get_attr( $config_key );



    if ( 'yes' !== $meta_show ) {

        return;

    }



    if ( ! $meta_position || ! in_array( $meta_position, $context ) ) {

        return;

    }



    if ( empty( $meta_config ) ) {

        return;

    }



    $result = '';



    foreach ( $meta_config as $meta ) {



        if ( empty( $meta['meta_key'] ) ) {

            continue;

        }



        $key      = $meta['meta_key'];

        $callback = ! empty( $meta['meta_callback'] ) ? $meta['meta_callback'] : false;

        $value    = get_post_meta( get_the_ID(), $key, false );



        if ( ! $value ) {

            continue;

        }



        $callback_args = array( $value[0] );



------------------------- CUT HERE -------------------------



        if ( ! empty( $callback ) && is_callable( $callback ) ) {

            $meta_val = call_user_func_array( $callback, $callback_args );

        } else {

            $meta_val = $value[0];

        }

------------------------- CUT HERE -------------------------

When a user opts to “Show Meta” in the posts widget settings, the render_meta function is triggered. The “Show Meta” feature allows for the specification of a meta key, label, and a callback function used to prepare the meta. The problem surfaces when the $callback parameter, sourced from $meta[‘meta_callback’], is left unchecked and completely controllable by the user. Likewise, the $callback_args parameter is also user-controllable, stemming from the $value variable constructed from get_post_meta( get_the_ID(), $key, false ).

Consequently, this scenario facilitates a potential RCE attack. An attacker could inject the PHP system or shell_exec function as the callback function, set the meta key to _elementor_data, and then introduce an OS command in the “Label” of the “Show Meta” feature. To activate the RCE, a privileged user must publish the drafted post, which, when visited, triggers the exploit.

Fortunately, the CVE-2023-39157 vulnerability has been addressed in JetElements for Elementor version 2.6.11. Users are advised to update to the latest version of the plugin as soon as possible.

In the meantime, users can mitigate the risk of exploitation by disabling the JetElements For Elementor plugin. To do this, navigate to the Plugins page in the WordPress dashboard and deactivate the plugin.

Users are advised to follow the following recommendations to help protect their websites from security vulnerabilities:

• Keep all plugins and software up to date.
• Use a security plugin to scan your website for vulnerabilities.
• Implement strong passwords and two-factor authentication.
• Back up your website regularly.