Remote Code Execution Vulnerability in the WordPress Elementor Plugin

Whilst not Phishing related, we thought we’d bring this story to you because of the prolification of this plugin and the potential of widespread disruption it could cause.

A remote code execution vulnerability has been detected in Elementor, a popular WordPress website builder with over five million active installs. This can be used to take control of the websites that are affected.

The vulnerability was detected in version 3.6.0, which was released on March 22, 2022, according to Plugin Vulnerabilities. The plugin’s version 3.6.x is used by about 38% of users. Even though exploiting the vulnerability needs authentication, anybody logged onto the vulnerable website, including regular subscribers, can exploit it.

A malicious attacker who creates a normal user account on a vulnerable website can change the title and design of the affected site. Researchers suspect that a non-logged in user might also be able to exploit the newly corrected issue in the Elementor plugin, however this has not been confirmed.

According to researchers:


“The website can run malicious code given by the attacker. It’s possible that the vulnerability can be exploited by someone who isn’t signed into WordPress, but anyone who is logged in and has access to the WordPress admin panel can simply exploit it.”

About The Vulnerability

Researchers from the WordPress security service Plugin Vulnerabilities, who discovered the vulnerability, describe the technical details in a report.


The main difficulty, according to the researchers, is obtaining a genuine nonce. The key nonce, is in “source code of WordPress admin pages that starts ‘elementorCommonConfig’. That is included when signed in as a user with the Subscriber role.” 

According to Patchstack:

“This vulnerability might allow any authenticated user, regardless of their permissions, to change the site title, logo, and theme to Elementor’s. Worst of all, post whatever content you want on the website.”

A serious vulnerability was detected in the Essential Addons for Elementor package. More than two months ago, a vulnerability was discovered that can allow remote code execution on vulnerable websites.

According to Wordfence, publishers are encouraged to upgrade to version 3.6.3 or above. Site owners should either update the latest Elementor WordPress plugin or delete the plugin entirely from their website.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts