The popular Elementor plugin contained a critical vulnerability. This made it possible for hackers to remotely take over WordPress websites with this plugin. Security experts advise website owners using Elementor to install the released update as soon as possible.
Cybersecurity company Wordfence discovered the vulnerability. The company writes extensively about this in a blog.
Hackers can take over WordPress websites through vulnerability
Elementor is a so-called page builder plugin. Website builders who don’t like standard WordPress themes can design their site according to their own taste. For example by inserting extra columns, a counter, carousel or buttons. Elementor is a popular plugin with many developers: it is active on more than five million websites.
With coveted plug-ins, it is important that the developer performs the regular maintenance. It only takes one small flaw in the code and millions of users are out of the loop. Cybersecurity company Wordfence, therefore, keeps a close eye on the plug-in.
And that’s a good thing. The security company has discovered a critical vulnerability in the plugin. This allows malicious parties to remotely upload and execute arbitrary PHP code. This is also known as Remote Code Execution (RCE). Hackers can thus take control of a WordPress website.
Install Elementor version 3.6.3 as soon as possible
Wordfence employees discovered the vulnerability on March 29. They informed the developer of the plugin via the contact form. A week later, Wordfence had not received a response, so the team sent the developer another message about the vulnerability.
When Wordfence received no response either, the company forwarded its findings to the WordPress Plugins Team on April 11. A day later, a security update appeared. The vulnerability occurred in Elementor versions 3.6.0 through 3.6.2. With version 3.6.3 the problem was solved.
Security experts advise everyone to install this patch as soon as possible.
Not the first time Elementor has faced vulnerability
It’s not the first time Elementor has had problems. At the beginning of this year, cybersecurity company Patchstack also reported a vulnerability in the plug-in. A vulnerability in Essential Addons, an extension of the plug-in, allowed unauthorized users to launch a Local File Inclusion Attack. This gives hackers access to a website and allows them to remotely infect a site with malicious code. The only requirement was that users had enabled the ‘Dynamic Gallery’ and ‘Product Gallery’ widgets.
Government agencies can use WordPress with peace of mind
The use of WordPress for government websites has been under discussion for some time last year. Dagblad Trouw wrote at the time that websites of the FIOD, customs and tax authorities, among others, ran “an extra high risk” of being hacked. This is because the login page is accessible to everyone.
The then State Secretary for the Interior and Kingdom Relations Raymond Knops reassured the House of Representatives by promising that government agencies could use WordPress with peace of mind. “I see no objection to the use of individual software packages, such as WordPress, once risk assessments have been made and measures have been taken,” said Knops.
Catch up on more articles here
Follow us on Twitter here