A vulnerability in older versions of Elementor Pro allows users to grant themselves admin access to WordPress sites running WooCommerce. Reports from around the world confirm that some websites have been taken over by hackers.
All versions of Elementor Pro up to and including 3.11.6 are at risk. All versions from 3.11.7 onward are patched.
Check your plugins ASAP
- Log into WordPress
- In the left-hand menu, open Plugins > Installed Plugins
- In the Plugins screens, check your Elementor Pro version.
- If you are running Elementor Pro 3.11.6 or lower, update the plugin.
All versions of Elementor Pro from 3.11.7 have fixed this vulnerability. Version 3.12.1, released 2 April 2023, is the latest version at the time of writing.
More information from around the web
- Elementor’s announcement of the fix in version 3.11.7.
- Technical explanations of the vulnerability and how hackers are exploiting it, from Bleeping Computer and Ars Technica
- WordPress Hosting from MyHost can include server management for expert defence against vulnerabilities as they emerge.