A vulnerability in the Elementor plugin for WordPress affects millions of websites. The vulnerability exists in Elementor 3.6.0, which was released on 22 March.
Researchers found that the vulnerability stems from a lack of access checks in one of the plugin’s files. The check is supposed to run with every request, even if users aren’t logged into their WordPress environment. Because the check is not performed, the plugin is accessible to unauthorized users. Hackers can access websites via a remote code attack and modify them as they see fit.
The Elementor plugin is widely used for WordPress sites. Around 5 million websites feature the plugin. Roughly one-third of these are using the affected version. Version 3.6.3 was released to patch the vulnerability found. Users are advised to install the patch as soon as possible.
Continued updating important
The strong growth in the number of vulnerabilities for WordPress websites raises the question. According to experts, remote code execution (RCE) vulnerabilities deserve more attention. These exploits are often overlooked by web application firewalls. Latter solutions solely rely on known threats, and fail to filter the unknown. Companies are advised to constantly monitor and update their WordPress plugins.