A critical remote code execution vulnerability has been detected in Elementor, the leading website-building platform for WordPress, that could affect nearly 500,000 websites.
The exploitation of the vulnerability requires authentication, but it is a serious threat that anyone entering the vulnerable website, including regular subscribers, can take advantage of the vulnerability. A threat actor who creates a regular user account on an affected website can change the name and theme of the affected site to make it look completely different.
It is foreseen that an unauthenticated user may exploit the critical vulnerability in the Elementor plugin in the continuing process, too. This RCE vulnerability has been fixed in the published version of 3.6.3. To avoid being affected by attacks that can be carried out using this vulnerability, website administrators are advised to apply the latest update available for the WordPress plugin or remove the plugin entirely from the website.