The WordPress website builder plugin Elementor, which has over five million active installs, has been discovered to be vulnerable to an authenticated Remote Code Execution (RCE) flaw that could be exploited to take control of affected websites.
The bug was created in version 3.6.0, which was released on March 22, 2022, according to Plugin Vulnerabilities, which revealed the flaw last week. The plugin’s version 3.6.x is used by 37 percent of approximate users.
The researchers said “That means that malicious code provided by the attacker can be run by the website,”
“In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard.”
In brief, the issue involves arbitrary file upload to impacted websites, which could potentially result in code execution.
The flaw has been fixed in the most recent version of Elementor, with Patchstack noting that “this vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor’s theme, and worst of all, upload arbitrary files to the site.”
The disclosure comes more than two months after Essential Addons for Elementor was found to contain a critical vulnerability that could result in the execution of arbitrary code on hacked websites.