Gaping Security Hole discovered in WordPress Elementor plugin
To be specific, the vulnerability is in the popular Essential Addons for Elementor plugin for WordPress. This is a premium plugin that is used to add features to the Elementor plugin and the solution to fix is to upgrade to the most recent version (5.0.6 or later is patched).
The vulnerability was discovered by independent threat researcher ‘Wai Yan Myo Thet’ and is known as a file inclusion vulnerability.
This type of vulnerability will allow an attacker to trick the plugin into accessing a file on the server that it may not normally serve to the website.
Using a specially crafted URL to include the targeted file name, the attacker would be able to gain access to that file, which could be something like your wp-config.php file (containing information about your WordPress installation), the WordPress database itself, or even run a script on the server that could launch something nefarious like a shell tool which would allow the attacker root access to the server.
Simply Web Services has already patched all installations of ‘Essential Addons for Elementor plugin for WordPress’ that reside on our servers, on accounts that we manage.
You can read more about this vulnerability at Naked Security