This recent vulnerability uncovered in the Elementor content editing plugin was reported via the Wordfence Vulnerabilities RSS feed in our sidebar warrants some comments. Here is WordFence’s detailed account
Scale of exposure
Elementor is an excellent block editor. It makes it easy to add and edit content inside of WordPress. People in the WordPress community have illustrated how good Elementor is, by electing to install it on 7 Million websites. Actually, on the Elementor website, they claim “5+ Million Professionals building better websites.” Whatever the number is, its a huge installed base. Unfortunately, what that also means is that it vulnerability gets extended to all those websites too.
Plugins of this scale and functionality are built by competent development teams, and I think it’s easy to assume that their product is robust and, importantly, safe for your website.
The irony is not lost on me that Elementor’s latest blog post is about the importance of WordPress Website Maintenance. Sergiei Davidov’s article on the 16 Step Checklist of Crucial Tasks is well worth a read.
What you can do to avoid being hacked?
The issue can be prevented by updating to Elementor version 3.1.4. Of course, simply monitoring updates available for your website, then ensuring it is updated in a timely fashion would have lessened the chance of being hacked via this vulnerability.
Now that the details of this exploit has been published publicly, it’s doubly important to ensure the installed copy of Elementor in your website has been updated.
Why? Well, because the public announcement will be gratefully picked up by hacker communities. They will immediately update their hacking probe software to look for a down-version Elementor. So if you haven’t updated Elementor, you become a hacking target.
What can I do if your site has been hacked?
In the first instance, you can contact us to see if we are able to help.
If you’ve been hacked here’s some help from Learning Lab: