Security News > 2022 > April > Critical RCE Flaw Reported in WordPress Elementor Website Builder Plugin
Elementor, a WordPress website builder plugin with over five million active installations, has been found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites.
Plugin Vulnerabilities, which disclosed the flaw last week, said the bug was introduced in version 3.6.0 that was released on March 22, 2022.
Roughly 37% of users of the plugin are on version 3.6.x. "That means that malicious code provided by the attacker can be run by the website," the researchers said.
"In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard."
In a nutshell, the issue relates to a case of arbitrary file upload to affected websites, potentially leading to code execution.
The disclosure comes more than two months after Essential Addons for Elementor was found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites.
News URL
https://thehackernews.com/2022/04/critical-rce-flaw-reported-in-wordpress.html
Related news
- Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability (source)
- Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now (source)
- Critical Erlang/OTP SSH RCE bug now has public exploits, patch now (source)
- Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) (source)
- Critical Langflow RCE flaw exploited to hack AI app servers (source)
- SysAid Patches 4 Critical Flaws Enabling Pre-Auth RCE in On-Premise Version (source)
- Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE (source)
- Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin (source)