On December 6, 2023, the Wordfence team noticed a changelog entry for version 3.18.1 of Elementor, a WordPress plugin installed on nearly 9 million sites. We did not discover the original vulnerability and only became aware of it after reviewing the changelog containing a partial patch. Wordfence immediately released a firewall rule to paid Wordfence customers. The firewall rule will be made available to free Wordfence users 30 days later, on January 5, 2023.
After reviewing the vulnerability further, Wordfence determined that the patch was insufficient and could still be exploited, though it would be more difficult.
Wordfence immediately contacted the Elementor team the same day, on December 6, 2023, to let them know that the patch failed to fully resolve the issue. Elementor released a sufficient patch in version 3.18.2 on December 8, 2023. We commend the team at Elementor in their swift response to this situation.
Fortunately, the vulnerability, while severe, requires Contributor-level privileges or higher to exploit, which minimizes the number of sites likely to be impacted. Few sites use Contributors, and attackers would need to be able to register as a contributor or higher user, or obtain valid credentials for a contributor-level+ user account to exploit this vulnerability.