A new Elementor plugin flaw exposed WordPress sites to cyberattacks

Elementor Plugin Flaw Vulnerability WordPress Websites CMS Cyberattacks

Researchers discovered a critical flaw in the Elementor WordPress plugin that could allow authenticated users or malicious actors to upload arbitrary files to impacted websites. This newly discovered vulnerability could potentially lead to code execution of threat actors.

The Elementor plugin is a drag-and-drop website builder exclusively for WordPress, with more than five million installations globally.

The newly confirmed vulnerability that was considered critical by security experts was first introduced last March in the plugin’s version 3.6.0. Approximately one-third of the WordPress websites were running on a vulnerable version when the security researchers spotted the bug.

In addition, the WordPress sites with plugin vulnerabilities, similar to the newly discovered flaw, have several issues with their domains since some functionalities did not perform capability checks. Thus, it can be available to individuals who should not have had access to the sites.

This vulnerability can be threatening for any website owner because any authenticated user, regardless of their authorisation, could alter the WordPress site such as uploading arbitrary files.


The Elementor plugin flaw can also result in numerous security holes that could be abused by threat actors to achieve code execution and potentially take over the exposed website.


The critical vulnerability can be located in an ‘onboarding’ module loaded on each request and is identified by researchers to be attached to the “admin_init” WordPress hook.

The WordPress security company further explained that the hook is fired on any admin-related script or screen but does not automatically imply that it is only fired when a higher privileged administrator is logged in.

The compromised module then operates a POST payload action after reviewing if it has been delivered with a valid nonce since the site admin distributes the nonce token to any authenticated user. The site will allow individuals to perform actions within the domain, regardless of their authorisation.

Security researchers have addressed this concern to the responsible developers and expect a quick patch update to repair this critical flaw.

About the author

Leave a Reply