Security News > 2022 > April > Critical flaw in Elementor WordPress plugin may affect 500k sites
The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites.
Security researchers believe that a non-logged in user could also exploit the recently fixed flaw in Elementor plugin but they have not confirmed this scenario.
In a report released this week by researchers at the WordPress security service Plugin Vulnerabilities, who found the vulnerability, describe the technical details behind the issue in Elementor.
"The RCE vulnerability we found involves the function upload and install pro() accessible through the previous function. That function will install a WordPress plugin sent with the request" - Plugin Vulnerabilities.
According Plugin Vulnerabilities, the issue was introduced with Elementor 3.6.0, released on March 22, 2022.
Admins are advised to apply the latest update available for the Elementor WordPress plugin or remove the plugin from your website altogether.