Tech
Cybersecurity

This WordPress plugin for Elementor leaves websites vulnerable to hackers

Update your plugin ASAP to close this security flaw that allows hackers take over vulnerable websites.
By Matt Binder  on 
Share on Facebook (opens in a new window) Share on Twitter (opens in a new window) Share on Flipboard (opens in a new window)
WordPress security flaw
A popular plugin for WordPress website builder Elementor has a serious security flaw. Credit: Filip Radwanski/SOPA Images/LightRocket via Getty Images
> Tech

If your website is powered by the WordPress page-builder Elementor, double-check if you're using this popular plugin. Because, if you are, hackers can easily stage a complete takeover of your website thanks to a newly discovered security flaw.

Security researchers at Patchstack have released a new report(opens in a new tab) about a concerning cybersecurity issue related to the WordPress plugin Essential Addons for Elementor. The plugin provides users with an assortment of pre-built WordPress blocks and templates for use when creating or updating their website.

"This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site," writes Patchstack in its report.

SEE ALSO: This Google AI keynote could have been a Gmail

Basically, malicious actors can take advantage of this to reset the password of any user, including the administrator's account. If that latter account's password is reset, a hacker could basically have access to the entire website – backend and all – and take control of the site from its rightful owner. If a targeted website stores user information, this bad actor would have access to and control of that as well.

"This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user," explains Patchstack.

Update the plugin as soon as possible

The plugin vulnerability has since been patched and Essential Addons for Elementor users are being urged to update to version 5.7.2. All versions of the plugin prior, going back to version 5.4.0, are affected by the vulnerability. So, be sure to update the plugin!

More than 43 percent(opens in a new tab) of all of the websites on the internet use WordPress. Elementor is a popular website builder for WordPress-powered sites. More than 12 million(opens in a new tab) WordPress-sites utilize Elementor. According to the WordPress Plugin Directory, more than 1 million(opens in a new tab) active websites have the Essential Addons for Elementor installed.

More in Cybersecurity

Recommended For You
'Yellowjackets' Season 2 finale trailer teases a life or death ritual
By Sam Haysom
The best handheld gaming consoles of 2023
By Dylan Haas and Haley Henschel
Tripadvisor in Australia: Everything you need to know
By Mashable Contributor
Disney+ and Hulu will purge over two dozen more shows. Here's the list so far.
By Caitlin Welsh
Trending on Mashable
Wordle today: Here's the answer and hints for May 24
By Mashable Team
Gen Z is challenging the way we date, says Tinder report
By Rachel Thompson
These new telescope images of the sun are just spectacular
By Elisha Sauers
A huge star just exploded, and you can actually see it
By Mark Kaufman
'Succession': Kendall's daughter just posted the perfect tweet about Logan's funeral
By Sam Haysom
The biggest stories of the day delivered to your inbox.
By signing up to the Mashable newsletter you agree to receive electronic communications from Mashable that may sometimes include advertisements or sponsored content.
Thanks for signing up. See you at your inbox!