Tech
Cybersecurity

This WordPress plugin for Elementor leaves websites vulnerable to hackers

Update your plugin ASAP to close this security flaw that allows hackers take over vulnerable websites.
By Matt Binder  on 
Share on Facebook (opens in a new window) Share on Twitter (opens in a new window) Share on Flipboard (opens in a new window)
WordPress security flaw
A popular plugin for WordPress website builder Elementor has a serious security flaw. Credit: Filip Radwanski/SOPA Images/LightRocket via Getty Images
> Tech

If your website is powered by the WordPress page-builder Elementor, double-check if you're using this popular plugin. Because, if you are, hackers can easily stage a complete takeover of your website thanks to a newly discovered security flaw.

Security researchers at Patchstack have released a new report(opens in a new tab) about a concerning cybersecurity issue related to the WordPress plugin Essential Addons for Elementor. The plugin provides users with an assortment of pre-built WordPress blocks and templates for use when creating or updating their website.

"This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site," writes Patchstack in its report.

SEE ALSO: This Google AI keynote could have been a Gmail

Basically, malicious actors can take advantage of this to reset the password of any user, including the administrator's account. If that latter account's password is reset, a hacker could basically have access to the entire website – backend and all – and take control of the site from its rightful owner. If a targeted website stores user information, this bad actor would have access to and control of that as well.

"This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user," explains Patchstack.

Update the plugin as soon as possible

The plugin vulnerability has since been patched and Essential Addons for Elementor users are being urged to update to version 5.7.2. All versions of the plugin prior, going back to version 5.4.0, are affected by the vulnerability. So, be sure to update the plugin!

More than 43 percent(opens in a new tab) of all of the websites on the internet use WordPress. Elementor is a popular website builder for WordPress-powered sites. More than 12 million(opens in a new tab) WordPress-sites utilize Elementor. According to the WordPress Plugin Directory, more than 1 million(opens in a new tab) active websites have the Essential Addons for Elementor installed.

More in Cybersecurity

Recommended For You
The Netflix password sharing crackdown is here. Check your inbox.
By Amanda Yeo
Don't cancel that 'basic' Netflix subscription. Netflix is testing getting rid of it.
By Matt Binder
Twitter hacker behind infamous 2020 breach sentenced to 5 years in prison
By Anna Iovine
Social app IRL, valued at $1 billion, shuts down because it doesn't have any users IRL
By Matt Binder
Asylum-seekers struggle to enter U.S. using CBP One app, says IRC report
By Chase DiBenedetto
Trending on Mashable
Wordle today: Here's the answer and hints for July 1
By Mashable Team
NASA's new Mars video is astonishing
By Mark Kaufman
Spectacular Webb telescope image reveals things scientists can't explain
By Mark Kaufman
Twitter now blocks visitors from viewing tweets, and profiles unless they're logged in
By Matt Binder
Want to try swinging? Here's a beginner's guide.
By Billy Procida
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use(opens in a new tab) and Privacy Policy(opens in a new tab). You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!