The maker of one of the best security plugins, Wordfence, recently published a security leak for Elementor. Versions 3.6.0 to 3.6.3 of the free version of Elementor have a major security vulnerability.
This vulnerability allows any authenticated user to upload files to your server. The danger is that these files can contain malicious code or just a small script that opens full access to your site.
If you are using the Pro version* of Elementor, don’t assume that this vulnerability doesn’t affect you, because you need the Free version installed to use Elementor Pro.
Where exactly is the security gap?
With Elementor version 3.6.0, an onboarding page was introduced to help you set up Elementor. Unfortunately, this feature does not ask for the user’s permission, so any registered user – e.g. also with the role “subscriber” – could get access to your website.
What you should do now
I urge you to check your Elementor version and if an update is available, by all means do so.
With the version 3.6.4 a path was delivered, with which this security gap was closed.
Before the update you should make a backup. You can do this with the free plugin UpdraftPlus*.
After you have made the updates for Elementor, you may see a small notice that the database also needs to be updated for the latest Elementor version. You can easily do this by clicking on the button in the notice.
Your website should now have closed this security hole.