Over five million active installations of the WordPress website builder plugin Elementor have been found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites.
That's when the bug was discovered by Plugin Vulnerabilities, which released its findings last week, citing the March 22, 2022, release of version 3.6.0. About 37% of the plugin's users are still using version 3.6.x.
There is a risk of malicious code being run by the website, researchers said. This vulnerability may be exploitable by someone who is not logged in to WordPress, but it can be easily exploited by anyone who has access to the WordPress admin dashboard.
It's basically a case of an arbitrary file upload to the affected websites, which could result in code execution if that file is malicious.
"This vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor's theme, and worst of all, upload arbitrary files to the site," Patchstack notes.
Essential Addons for Elementor was found to have a critical vulnerability that could result in the execution of arbitrary code on compromised websites more than two months ago.
Post a Comment
Your suggestions and comments are welcome