Elementor, a WordPress website builder plugin that has more than five million active installations, has a vulnerability that can lead to authenticated remote code execution. The vulnerability can be exploited to seize control over affected websites. 

Plugin Vulnerabilities revealed the flaw last week and stated that the bug originated in version 3.6.0, which was released on March 22, 2022. Around 37% of users use the plugin version 3.6.x

“That means that malicious code provided by the attacker can be run by the website,” the researchers said. “In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard.”

In brief, the vulnerability is linked to an arbitrary file upload to impacted websites, possibly resulting in code execution.

The bug has been addressed in the latest version of Elementor, with Patchstack noting that “this vulnerability could allow any authenticated user, regardless of their authorization, to change the site title, site logo, change the theme to Elementor’s theme, and worst of all, upload arbitrary files to the site.”

Two months earlier, a critical vulnerability was detected in Essential Addons for Elementor, and the vulnerability also could be exploited for remote code execution on affected websites.