Elementor, a WordPress website builder plugin, with over five million active installations, was found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites.
The plugin vulnerability, which was disclosed last week, was introduced in version 3.6.0 which was released on March 22, 2022. Approximately 37% of plugin users are on version 3.6.x.
The issue is related to a case of arbitrary file uploads on affected websites, which could lead to code execution.
The vulnerability was fixed in the latest version of Elementor, and Patchstack said that “This vulnerability could allow any authenticated user, regardless of authorization, to change the site title, the site logo, change the Elementor theme, and worst of all, upload arbitrary files to the site.”
The disclosure comes more than two months after Essential Addons for Elementor was found to contain a critical vulnerability that could result in arbitrary code execution on compromised websites.
Thank you for supporting free knowledge! You can donate the amount you want.
Bank transfer Mexico: CLABE: 646180192143715428 in the name of Masterhacks LATAM, Bank: STP