via wptavern.com => original post link
Elementor has patched a critical Remote Code Execution vulnerability that was discovered by threat analyst Ramuel Gall from Wordfence on March 29, 2022. Wordfence disclosed the vulnerability to Elementor via its official security contact email address but did not receive a timely reply. On April 11, 2022, Wordfence disclosed the vulnerability to the WordPress Plugins team. Elementor released a patch in version 3.6.3 on April 12, 2022.
Wordfence described the vulnerability as “Insufficient Access Control leading to Subscriber+ Remote Code Execution.” It received a CVSS (Common Vulnerability Scoring System) score of 9.9 (Critical). The vulnerability affects Elementor’s new onboarding module, introduced recently in version 3.6.0.
Wordfence published a technical explanation of how an attacker might gain unauthorized access: