Home SEO News Elementor WordPress Plugin Vulnerability

Elementor WordPress Plugin Vulnerability

Dec 06, 2023 0 Comments
Elementor WordPress Plugin Vulnerability

A high-severity vulnerability was discovered in the Elementor website builder plugin that could allow an attacker to upload files to the website’s server and execute them. The vulnerability is in the template loader functionality.

Elementor Unlimited file upload with dangerous type vulnerability

Elementor website builder is a popular WordPress plugin with over 5 million installs. The popularity is due to its easy to use drag and drop functionality to create professional looking websites.

The vulnerability discovered in Elementor has a rating of 8.8/10 and is said to leave websites using Elementor open to remote code execution through which an attacker is able to essentially take control of the affected website and execute various commands.

The vulnerability type is described as unlimited upload of files with dangerous type. This type of vulnerability is an exploit where an attacker is able to upload malicious files that, in turn, allow commands to be executed on the affected website’s server.

This kind of problem is generally described This way:

“The product allows an attacker to upload or transfer files of a dangerous type that can be automatically processed in the product environment.”

Wordfence describes this specific vulnerability:

“The Elementor Website Builder plugin for WordPress is vulnerable to remote code execution via file upload in all versions up to and including 3.18.0 via the template import functionality.

This makes it possible for authenticated attackers, with access at the contributor level and above, to upload files and execute code on the server.”

Wordfence also states that there is no patch to fix this issue and recommends uninstalling Elementor.

“There is no known patch available. Please review the details of the vulnerability in depth and use mitigations based on your organization’s risk tolerance. It may be best to uninstall the affected software and find a replacement.

Update to Elementor version 3.18.1

Elementor released an update to version 3.18.1 today. It is unclear whether this patch fixes the vulnerability, as the Wordfence site currently states that the vulnerability is not fixed.

The changelog describes this update:

“Fix: Improved code safety enforcement in file upload mechanism”

This is a newly reported vulnerability and facts may change. However, Wordfence warns that hackers are already attacking Elementor websites because its paid version has already blocked eleven hacking attempts at the time of publishing the announcement.

Read the Wordfence notice:

Elementor <= 3.18.0 Upload authenticated arbitrary files (Contributor+) to remote code execution using template import

[ad_2]

Source link

You May Also Like

Las Vegas SEO Co Announces Premier SEO Consultancy Services

Las Vegas SEO Co announces first SEO consulting services

Small seo tools plagiarism checker

Get the highest rank with a small online SEO tool

Local Marketing

The importance of local marketing for home service businesses

MAKE AN IMPACT WITH ADVANCED GENERATIVE ENGINE OPTIMIZATION

Google's advice on fixing broken links for SEO

Google’s unconventional tips for fixing broken backlinks

All the SEO Secrets: The CEO's Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

All the SEO Secrets: The CEO’s Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

About the Author: Ted Simmons

I follow and report the current news trends on Google news.

Leave a Reply

Your email address will not be published. Required fields are marked *