Critical RCE Vulnerability Fixed in Latest Elementor Update

April 21, 2022
Cloudways Managed Cloud Hosting Platform
Hosting, WordPress
0 Comments

On April 12th 2022, an important security update was released for the Elementor plugin to patch a critical Remote Code Execution (RCE) vulnerability. The severe security risk allowed all authenticated users, including subscribers, to upload and execute arbitrary PHP code on a website. You can view the security patch WordPress.org/changeset/2708766/elementor/trunk/core/app/modules/onboarding/module.php?old=2688036&old_path=elementor%2Ftrunk%2Fcore%2Fapp%2Fmodules%2Fonboarding%2Fmodule.php” target=”_blank” rel=”noopener nofollow”>here.

It seems that when Elementor version 3.6.0 introduced its new onboarding module, it failed to include the necessary WordPress.org/plugins/security/checking-user-capabilities/” target=”_blank” rel=”noopener nofollow”>capabilities checks. As a result, it opened a window to attackers with malicious intentions to execute code and even take over a website.

Cloudways Managed Security Has it Handled

Cloudways takes the security of your websites extremely seriously. As a managed hosting platform, we handle security updates for our customers. On April 13th, all websites using Elementor were automatically updated to the latest 3.6.3. secure version.

What Should I Do?

As Cloudways has already managed the automatic update of the Elementor security patch, you no longer need to worry about updating Elementor. But any other themes or plugins without backwards compatibility may break your website. You need to update them as soon as possible. We advise you to consult with the respective plugins’ authors to guide you and make the update process quicker.

While we do help our customers roll back to an older version of Elementor if required, we strongly advise against it, as this can lead potentially to greater security issues and can require even more time to restore your website.