A major flaw in the Elementor WordPress plugin might let authorized users upload arbitrary files to vulnerable websites, which could result in code execution. Elementor is a WordPress drag-and-drop website builder with over 5 million installs.
Considered serious, the recently patched vulnerability was presumably introduced on March 22 in the plugin’s version 3.6.0. When the flaw was discovered, around one-third of websites were running a vulnerable version.
According to researchers with Plugin Vulnerabilities, the problem occurs because some features did not complete capability checks, allowing them to be accessible to people who should not have had access.