On April 12th 2022, an important security update was released for the Elementor plugin to patch a critical Remote Code Execution (RCE) vulnerability. The severe security risk allowed all authenticated users, including subscribers, to upload and execute arbitrary PHP code on a website. You can view the security patch here.
It seems that when Elementor version 3.6.0 introduced its new onboarding module, it failed to include the necessary capabilities checks. As a result, it opened a window to attackers with malicious intentions to execute code and even take over a website.
Cloudways Managed Security Has it HandledÂ
Cloudways takes the security of your websites extremely seriously. As a managed hosting platform, we handle security updates for our customers. On April 13th, all websites using Elementor were automatically updated to the latest 3.6.3. secure version.
What Should I Do?
As Cloudways has already managed the automatic update of the Elementor security patch, you no longer need to worry about updating Elementor. But any other themes or plugins without backwards compatibility may break your website. You need to update them as soon as possible. We advise you to consult with the respective plugins’ authors to guide you and make the update process quicker.
While we do help our customers roll back to an older version of Elementor if required, we strongly advise against it, as this can lead potentially to greater security issues and can require even more time to restore your website.Â
Marianna Siouti
Marianna Siouti is a Product Marketing Manager at Cloudways. She has over 14 years of experience in the hosting industry, in Marketing and Product. She is someone who falls in love with problems and works towards solving them with technology. You will find her working remotely from warm places, or on LinkedIn.
