WordFence discovered a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.
A patched version of the plugin, 3.6.3, was released on April 12, 2022.
This is a critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.
Source: https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability