If your website is powered by WordPress Elementor page builder, check if you are using this popular plugin. Because, if you are, hackers can easily stage a complete takeover of your website through a recently discovered security flaw.
Patchstack security researchers have published a new report(opens in a new tab) on a concerning cybersecurity issue related to the WordPress Essential Addons for Elementor plugin. The plugin provides users with an assortment of pre-made WordPress blocks and templates to use when creating or updating their website.
“This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to elevate their privilege to that of any user on the WordPress site,” Patchstack writes in its report.
Basically, malicious actors can take advantage of this to reset the password of any user, including the administrator account. If the latter account’s password is reset, a hacker could essentially gain access to the entire website – backend and all – and take control of the site from its rightful owner. If a targeted website stores user information, that bad actor would also have access and control.
“This vulnerability occurs because this password reset function does not validate a password reset key and directly changes the given user’s password,” says Patchstack.
Update the plugin as soon as possible
The plugin vulnerability has since been patched and users of Essential Addons for Elementor are advised to update to version 5.7.2. All earlier versions of the plugin, dating back to version 5.4.0, are affected by the vulnerability. So be sure to update the plugin!
More … than 43 percent(opens in a new tab) of all websites on the internet use WordPress. Elementor is a popular website builder for WordPress powered sites. More … than 12 millions(opens in a new tab) WordPress sites use Elementor. According to the WordPress Plugin Directory, over 1 million(opens in a new tab) active websites have essential add-ons for Elementor installed.