Critical Elementor Vulnerability – Immediate Action Required [updated 08/12/2023]

Table of Contents


In recent developments, a critical security vulnerability has been identified in the popular Elementor Website Builder plugin for WordPress. This vulnerability, present in all versions from 3.3.0 up to and including 3.18.1, exposes sites to a severe risk of Remote Code Execution through the template import functionality.

In layman’s terms, the flaw allows authenticated attackers, possessing contributor-level access and above, to upload malicious files and execute code on the server, potentially compromising the entire website.

Vulnerability Details

Vulnerability Type: Authenticated(Contributor+) Arbitrary File Upload to Remote Code Execution via Template Import

Severity: CVSS: 8.8 (as reported by WordFence)

Impact Assessment

The potential consequence of an attack via this vulnerability includes:

      • Unauthorized access to sensitive data.
      • Complete website compromise.
      • Possibility of further attacks on visitors.

    Affected Versions

    Versions of Elementor from 3.3.0 up to and including 3.18.1 are susceptible to this vulnerability.

    Current Status

    Last updated / checked: 13:00 08/12/2023

    An official patch has been released by Elementor (v3.18.2).

    Immediate Action Required

    Here are steps to safeguard your website:

        1. Update Elementor: Update Elementor to version 3.18.2 or higher to receive the patch for this vulnerability.
        2. Audit User Permissions: Review and adjust user roles, especially those with contributor-level access and above. Limit access to essential functions to reduce potential risks.
        3. Secure accounts: It is best practice to secure accounts using Two factor Authentication (2FA), free plugins such as WP2FA and WordFence Login Security can provide this functionality.
        4. Scan for Malicious Files: Conduct a thorough scan of your website for any potentially malicious files. Remove any suspicious files immediately.

      Our Total Support Hosting customers are covered

      We have in place a number of measures to mitigate any possible attacks – and have active monitoring in place for early detection and prompt recovery. 

      Furthermore, once an patch is released we will push this update to all our affected customers

      About our Total Support Hosting package:

      Our premium hosting package is built around three areas: speed, security and total support.

      Our support team provides on-demand support for all your WordPress queries. Whether you need a page adding/editing, our support team can do that for you and they have experience using many different WordPress page builders including Elementor, Divi and WP Bakery (formerly Visual Builder).


      Security is paramount, and swift action is necessary to mitigate potential risks associated with the Elementor vulnerability. Regularly monitor security channels for updates and patches, and keep your website defences robust.

      Get In Touch

      Subscribe to our newsletter

      Get In Touch

      Receive the latest news and offers

      Subscribe To Our Newsletter