Login

Tag Archives: Elementor Pro

6 Apr 2023

Security Journalists Baselessly Claim Millions of WordPress Sites at Risk From Recent Vulnerability

Last week, a story about a recent fixed vulnerability in Elementor Pro from the news outlet Bleeping Computer was headlined with the claim that the plugin had 11 million installs, “Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs”. In the body of the story, the author Bill Toulas claimed that the plugin is “used by over eleven million websites”. No source was given for the claim and a comment asking what the source went unanswered.

Contradicting that, an Ars Technica story from Dan Goodin claimed it is “running on more than 12 million sites”. The headline of the story also emphasized millions of websites, “Hackers exploit WordPress plugin flaw that gives full control of millions of sites”. Again, no source was provided for the claim. [Read more]

31 Mar 2023

The Right Ways to Protect Against Exploitation of Vulnerabilities Like the One in Elementor Pro

Earlier this week, it was disclosed that a fairly serious vulnerability had been fixed in the commercial WordPress plugin Elementor Pro. As described by the discoverer, NinTechNet, the developer failed to implement basic security in the code, leading to the vulnerability. That included failing to do a capabilities check with an AJAX accessible function to limit who could access it. That shouldn’t be all that surprising based on what we noted a year ago with the related free 5+ million install Elementor plugin. At the time, we ran across a serious vulnerability in the plugin after we saw what appeared to be hacker probing for the plugin. We noted this at the time:

What we immediately found was that plugin isn’t handling basic security right, as we found many functionalities where capabilities checks were missing where they shouldn’t. [Read more]