SiteGround Addresses Critical Security Vulnerability in Elementor WordPress Plugin on Day 0
The Elementor 3.6.0 version of the WordPress website builder plugin introduced a new functionality for easy plugin setup. Unfortunately a serious security vulnerability has been detected, which if exploited, allows full website access, rendering all Elementor 3.6.0 – 3.6.2 versions vulnerable. SiteGround took immediate action to protect our WordPress clients using the plugin, resulting in all instances on our servers being updated to resolve the issue on day 0 of the vulnerability report. Read on for more information on how we have protected our clients.
How severe is the vulnerability?
The issue is critical, since it allows regular website users, including subscribers, to fake an Elementor Pro .zip file, upload and activate it to a website, executing pretty much any code part of the archive. That means that if you are using Elementor version 3.6.0, 3.6.1 or 3.6.2 for your WordPress site, and user registration is enabled on it (for example WooCommerce websites, membership websites, etc.) an attacker could get full access to your site.
What did we do to protect SiteGround clients?
Due to the severity of the issue, we immediately updated all Elementor plugin instances on our hosting servers. We did that for all clients using the Elementor plugin for WordPress on SiteGround – both the free and the paid versions of the plugin – just to be on the safe side. So, if you’re a SiteGround client, your Elementor plugin version is updated to fix the vulnerability. If you have a WordPress website using the Elementor plugin hosted elsewhere, we recommend updating your plugin version immediately to avoid staying vulnerable.
Comments ( 10 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Joe Simpson Jr
Thanks, Hristo and SiteGround for taking care of this critical Elementor vulnerability. With a number of sites running this page builder, it is awesome you were so proactive. The WordPress community is a great thing.
Mario
Thanks. I use Elementor on all my sites.
Najeeb
Great move. What if we blocked plugin automatic updates? Will it still updated automatically?
Gergana Zhecheva Siteground Team
The purpose of such update is to prevent any security breaches to your website. We consider this type of updates obligatory, which is why they are applied on all vulnerable plugin versions regardless of the individual autoupdate settings in SiteTools. This way we are able to protect as many clients as possible.
Keith
Thanks for the heads up. I am assuming you informed the Elementor team of this vulnerability. What steps have they taken to resolve this issue with their plugin?
Gergana Zhecheva Siteground Team
Hello Keith, The team that discovered this contacted the Elementor team asap, more info at the link in the article and here. A patched version of the plugin (containing a fix against the exploit) was released on April 12 by the plugin developers.
Jessica
Thank you for helping to protect our site
Silke
Thank you! Very much appreciated. 5-stars for SG.
Georgia G
Thank you! One of the reasons I trust your service is that you take action quickly to protect your clients.
Joanie W
Thank you for being proactive with this and other vulnerabilities as they arise! This makes my trust in your services go up to 11! Rock on!
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through