Elementor is a WordPress plugin that allows you to build websites. It has over 5 million users.
Plugin Vulnerabilities, which disclosed the flaw last week, said the bug was introduced in version 3. 6.0 that was released on March 22, 2022. Roughly 37% of users of the plugin are on version 3.6.x.
“That means that malicious code provided by the attacker can be run by the website,” the researchers said. “In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard. “
In a nutshell, the issue relates to a case of arbitrary file upload to affected websites, potentially leading to code execution.
The bug has been addressed in the latest version of Elementor, with Patchstack noting that “this vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor’s theme, and worst of all, upload arbitrary files to the site. “
The disclosure is more than two years after Essential Addons for Elementor were discovered to have a critical flaw that could allow for the execution of arbitrary codes on compromised websites.
