Critical Remote Code Execution Vulnerability in Elementor

WordFence discovered a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

A patched version of the plugin, 3.6.3, was released on April 12, 2022.

This is a critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.


Posted in Updates.