SiteGround Addresses Critical Security Vulnerability in Elementor WordPress Plugin on Day 0

The Elementor 3.6.0 version of the WordPress website builder plugin introduced a new functionality for easy plugin setup. Unfortunately a serious security vulnerability has been detected, which if exploited, allows full website access, rendering all Elementor 3.6.0 – 3.6.2 versions vulnerable. SiteGround took immediate action to protect our WordPress clients using the plugin, resulting in all instances on our servers being updated to resolve the issue on day 0 of the vulnerability report. Read on for more information on how we have protected our clients.

How severe is the vulnerability?

The issue is critical, since it allows regular website users, including subscribers, to fake an Elementor Pro .zip file, upload and activate it to a website, executing pretty much any code part of the archive. That means that if you are using Elementor version 3.6.0, 3.6.1 or 3.6.2 for your WordPress site, and user registration is enabled on it (for example WooCommerce websites, membership websites, etc.) an attacker could get full access to your site.

What did we do to protect SiteGround clients?

Due to the severity of the issue, we immediately updated all Elementor plugin instances on our hosting servers. We did that for all clients using the Elementor plugin for WordPress on SiteGround – both the free and the paid versions of the plugin – just to be on the safe side. So, if you’re a SiteGround client, your Elementor plugin version is updated to fix the vulnerability. If you have a WordPress website using the Elementor plugin hosted elsewhere, we recommend updating your plugin version immediately to avoid staying vulnerable.

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Hristo Pandjarov

Product Innovation Director

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

Comments ( 10 )

author avatar

Joe Simpson Jr

Apr 17, 2022

Thanks, Hristo and SiteGround for taking care of this critical Elementor vulnerability. With a number of sites running this page builder, it is awesome you were so proactive. The WordPress community is a great thing.

Reply
author avatar

Mario

Apr 18, 2022

Thanks. I use Elementor on all my sites.

Reply
author avatar

Najeeb

Apr 20, 2022

Great move. What if we blocked plugin automatic updates? Will it still updated automatically?

Reply
author avatar

Gergana Zhecheva Siteground Team

Apr 21, 2022

The purpose of such update is to prevent any security breaches to your website. We consider this type of updates obligatory, which is why they are applied on all vulnerable plugin versions regardless of the individual autoupdate settings in SiteTools. This way we are able to protect as many clients as possible.

Reply
author avatar

Keith

Jul 26, 2022

Thanks for the heads up. I am assuming you informed the Elementor team of this vulnerability. What steps have they taken to resolve this issue with their plugin?

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 28, 2022

Hello Keith, The team that discovered this contacted the Elementor team asap, more info at the link in the article and here. A patched version of the plugin (containing a fix against the exploit) was released on April 12 by the plugin developers.

Reply
author avatar

Jessica

Apr 20, 2022

Thank you for helping to protect our site

Reply
author avatar

Silke

Apr 21, 2022

Thank you! Very much appreciated. 5-stars for SG.

Reply
author avatar

Georgia G

Apr 25, 2022

Thank you! One of the reasons I trust your service is that you take action quickly to protect your clients.

Reply
author avatar

Joanie W

Apr 27, 2022

Thank you for being proactive with this and other vulnerabilities as they arise! This makes my trust in your services go up to 11! Rock on!

Reply

Start discussion