Elementor, a WordPress website builder plugin with over 5 million active installations, has been discovered to be vulnerable to an authenticated remote code execution bug that could be exploited to take control of affected websites.
The bug was created in version 3.6.0, which was released on March 22, 2022, according to Plugin Vulnerabilities, which exposed the flaw last week. Approximately 37% of plugin users are on version 3.6.x.
"This means that the website can run malicious code given by the attacker," the researchers explained. "In this case, the vulnerability may be exploitable by someone who is not logged in to WordPress, but it may easily be exploited by anyone who is logged in to WordPress and has access to the WordPress admin dashboard."
In a nutshell, the problem involves arbitrary file uploads to impacted websites, which could result in code execution.
Patchstack notes that "this vulnerability might allow any authenticated user, regardless of their authorization, to modify the site title, site logo, change the theme to Elementor's theme, and worst of all, upload arbitrary files to the site."
The announcement comes more than two months after Essential Addons for Elementor was discovered to include a serious vulnerability that might allow arbitrary code to be executed on compromised websites.
Please do not enter any spam link in the comment box.