Last week, a story about a recent fixed vulnerability in Elementor Pro from the news outlet Bleeping Computer was headlined with the claim that the plugin had 11 million installs, “Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs”. In the body of the story, the author Bill Toulas claimed that the plugin is “used by over eleven million websites”. No source was given for the claim and a comment asking what the source went unanswered.

Contradicting that, an Ars Technica story from Dan Goodin claimed it is “running on more than 12 million sites”. The headline of the story also emphasized millions of websites, “Hackers exploit WordPress plugin flaw that gives full control of millions of sites”. Again, no source was provided for the claim.

A third outlet, The Hacker News, in a story written by Ravie Lakshmanan, seemed to provide a source, as the story linked the word estimated to something:

The premium plugin is estimated to be used on over 12 million sites.

But that just takes you to the web page for Elementor Pro, which makes no claim like that, as far as we could find.

We reached out to the authors of all three stories, mentioning that the number seemed to be wrong. We asked what the source was and why that wasn’t provided in the story. We got no response. That isn’t all that surprising, since the number appears to be based on carelessness on their part.

Elementor not Elementor Pro

Elementor Pro is a commercial plugin connected with the free plugin Elementor. It would be highly unusual for Elementor Pro to be more popular than Elementor. WordPress.org’s stats say that Elementor has 5+ million installs. It appears that for whatever reason that WordPress.org’s stats don’t show higher numbers than 5+ million, so Elementor could have a higher count. In January, the developer was claiming that Elementor had 12 million installs. Presumably that count includes Pro usage. Since those stories were written, they have claimed that it is now 13 million installs.

The website BuiltWith put the number of websites that they had counted with Elementor at over 12 million, though with significantly less currently using it:

Get a list of 12,923,224 websites using Elementor which includes location information, hosting data, contact details, 8,719,280 currently live websites and an additional 372,427 domains that redirect to sites in this list. 4,203,944 sites that used this technology previously and 779,867 websites in the United States currently using Elementor.

So it looks like the journalists took the install count of Elementor including Elementor Pro, and treated that as the install count of Elementor Pro (or copied the number from another journalist who did that).  At 12 million installs overall, for there to be millions of websites at risk, as claimed by the stories, that means that 1 in 6 of users of the plugin are using the pro version, which seems unlikely. Even if that were true, the vulnerability only could be exploited on websites also using WooCommerce and by someone logged in to WordPress, which means that for millions of website to be at risk, the pro version would likely need to be used on millions more websites. So the headline claims of millions of website at risk seems to be false.

Not Journalism

It’s one thing for a journalist to make a mistake, but that doesn’t appear to be the case here, since when the problem was brought up, they simply ignored it. Not only that, but two of the stories didn’t claim this was an estimate, but stated as if it was a fact, which seems impossible for them to have reasonably believed. With the author of The Hacker News story, things are worse, since they were citing a source for the claim, which doesn’t back it up.

We have reached out to the news outlets to let them know what happened here with their journalists here and we will update the story if we get a response from.

Update 4/10: The Bleeping Computer story was updated today to remove mention of an install count of the plugin. Before doing that, they had replied that the 11 million install count had come from an unsourced claimed on the  About page on the Elementor website, which they referred to as the Elementor Pro  website (despite that page making no mention of Elementor Pro).