SiteGround Addresses Critical Security Vulnerability in Elementor WordPress Plugin on Day 0
The Elementor 3.6.0 version of the WordPress website builder plugin introduced a new functionality for easy plugin setup. Unfortunately a serious security vulnerability has been detected, which if exploited, allows full website access, rendering all Elementor 3.6.0 – 3.6.2 versions vulnerable. SiteGround took immediate action to protect our WordPress clients using the plugin, resulting in all instances on our servers being updated to resolve the issue on day 0 of the vulnerability report. Read on for more information on how we have protected our clients.
How severe is the vulnerability?
The issue is critical, since it allows regular website users, including subscribers, to fake an Elementor Pro .zip file, upload and activate it to a website, executing pretty much any code part of the archive. That means that if you are using Elementor version 3.6.0, 3.6.1 or 3.6.2 for your WordPress site, and user registration is enabled on it (for example WooCommerce websites, membership websites, etc.) an attacker could get full access to your site.
What did we do to protect SiteGround clients?
Due to the severity of the issue, we immediately updated all Elementor plugin instances on our hosting servers. We did that for all clients using the Elementor plugin for WordPress on SiteGround – both the free and the paid versions of the plugin – just to be on the safe side. So, if you’re a SiteGround client, your Elementor plugin version is updated to fix the vulnerability. If you have a WordPress website using the Elementor plugin hosted elsewhere, we recommend updating your plugin version immediately to avoid staying vulnerable.
