The WordPress plugin known as Elementor, a page builder everyone knows and (kind of) loves, is under attack by hackers.
A critical vulnerability in Elementor continues to be exploited by attackers, specifically within the Plus Addons for the Elementor plugin.
It’s important to note that only the Plus Addons for Elementor are the parts being exploited, not the free version. The core version of Elementor is also not under attack.
Two new versions have been released to address this security issue: 4.1.6 was released once the attack was fully disclosed; 4.1.7 was subsequently released to fully address the issue. In other words, version 4.1.6 was only a partial patch. For anyone still on 4.1.6, it is still recommended that you update to 4.1.7.
What Type of Vulnerability Is This?
Wordfence, a security plugin development company, explains that this vulnerability is known as a Cross-Site Scripting Vulnerability.
According to them, it presents the following threat:
The reason why this is such a significant issue is because these elements allow someone to add custom HTML tags for the content within the elements.
There are different options to set the tag depending on the element:
According to WordPress Tavern, Wordfence is also reporting that:
Why This Vulnerability Is So Important to Correct
It’s important to ensure that you correct these vulnerabilities as quickly as possible because if you don’t, it may result in someone gaining the ability to take over your site entirely.
And if someone gains malicious access to your website, they can do whatever they want. All of the website’s private information will be accessible to them, and all of it can be deleted, altered, shared or published as they wish.
For most website administrators, a worse scenario is nearly impossible to imagine.
Remember to Update Your Plugins
Don’t forget to keep your plugins updated whenever these security announcements occur. This could mean the difference between keeping everything you have gained on your site and losing it all.
So far, Elementor has been great about ensuring that any reported vulnerabilities and weaknesses are addressed appropriately, so all that’s left for you to do is click update
Keep an eye out on the iloveseo.com blog for updates on the latest bugs, hacks, threats and vulnerabilities occurring in the world of SEO software.