Introduction
In recent developments, a critical security vulnerability has been identified in the popular Elementor Website Builder plugin for WordPress. This vulnerability, present in all versions from 3.3.0 up to and including 3.18.1, exposes sites to a severe risk of Remote Code Execution through the template import functionality.
In layman’s terms, the flaw allows authenticated attackers, possessing contributor-level access and above, to upload malicious files and execute code on the server, potentially compromising the entire website.
Vulnerability Details
Vulnerability Type: Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import
Severity: CVSS: 8.8 (as reported by WordFence)
Impact Assessment
The potential consequence of an attack via this vulnerability includes:
- Unauthorized access to sensitive data.
- Complete website compromise.
- Possibility of further attacks on visitors.
Affected Versions
Versions of Elementor from 3.3.0 up to and including 3.18.1 are susceptible to this vulnerability.
Current Status
Last updated / checked: 13:00 08/12/2023
An official patch has been released by Elementor (v3.18.2).
Immediate Action Required
Here are steps to safeguard your website:
- Update Elementor: Update Elementor to version 3.18.2 or higher to receive the patch for this vulnerability.
- Audit User Permissions: Review and adjust user roles, especially those with contributor-level access and above. Limit access to essential functions to reduce potential risks.
- Secure accounts: It is best practice to secure accounts using Two factor Authentication (2FA), free plugins such as WP2FA and WordFence Login Security can provide this functionality.
- Scan for Malicious Files: Conduct a thorough scan of your website for any potentially malicious files. Remove any suspicious files immediately.
Our Total Support Hosting customers are covered
We have in place a number of measures to mitigate any possible attacks – and have active monitoring in place for early detection and prompt recovery.
Furthermore, once an patch is released we will push this update to all our affected customers
About our Total Support Hosting package:
Our premium hosting package is built around three areas: speed, security and total support.
Our support team provides on-demand support for all your WordPress queries. Whether you need a page adding/editing, our support team can do that for you and they have experience using many different WordPress page builders including Elementor, Divi and WP Bakery (formerly Visual Builder).
Conclusion
Security is paramount, and swift action is necessary to mitigate potential risks associated with the Elementor vulnerability. Regularly monitor security channels for updates and patches, and keep your website defences robust.
