If your website is powered by the WordPress page-builder Elementor, double-check if you’re using this popular plugin. Because, if you are, hackers can easily stage a complete takeover of your website thanks to a newly discovered security flaw.

Security researchers at Patchstack have released a new report about a concerning cybersecurity issue related to the WordPress plugin Essential Addons for Elementor. The plugin provides users with an assortment of pre-built WordPress blocks and templates for use when creating or updating their website.

“This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site,” writes Patchstack in its report.

Basically, malicious actors can take advantage of this to reset the password of any user, including the administrator’s account. If that latter account’s password is reset, a hacker could basically have access to the entire website – backend and all – and take control of the site from its rightful owner. If a targeted website stores user information, this bad actor would have access to and control of that as well.

“This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user,” explains Patchstack.

Update the plugin as soon as possible

The plugin vulnerability has since been patched and Essential Addons for Elementor users are being urged to update to version 5.7.2. All versions of the plugin prior, going back to version 5.4.0, are affected by the vulnerability. So, be sure to update the plugin!

More than 43 percent of all of the websites on the internet use WordPress. Elementor is a popular website builder for WordPress-powered sites. More than 12 million WordPress-sites utilize Elementor. According to the WordPress Plugin Directory, more than 1 million active websites have the Essential Addons for Elementor installed.


Leave a Reply

Your email address will not be published. Required fields are marked *