There is a new exploit in the wild and this time Elementor is taking the hit. Elementor is used on more than 4 million websites, so it’s kind of a big deal. It’s been quite some time since I’ve seen the Elementor or Elementor Pro plugins getting wrapped up in any kind of exploit, but here we are. All versions released prior to 2.8.5 are vulnerable.
When The Exploit Was Discovered or Released
So there are two parts to this. The discovery of the exploit, and the release of a working model of the exploit. Thanks to responsible disclosure, the company that found the issue reported it to Elementor and they have patched their software. After 30 days, the additional information and proof of concept are released to the public (currently scheduled for February 13th 2020).
If you are using Elementor 2.8.5 or lower, you should update your plugin now.
What is the Elementor Page Builder?
From their own website (elementor.com) they use the phrase “The World’s Leading WordPress Page Builder” and to be honest with you, we fully believe that ourselves! We have used dozens of different page builders over the years, but Elementor has remained feature-rich and has been easy for our clients to use in keeping their sites updated.
We’ve used Elementor for small one-page websites and we’ve used it in conjunction with WooCommerce for extensive eCommerce stores with thousands of products. Starting out, many people run into memory issues with the builder but it’s mainly because of their web host limitation of 128MB for PHP. Once that’s adjusted to 256MB, the software runs without any issue.
What’s In The New Exploit?
The backbone of the exploit revolves around “XSS Authenticated Reflected” which is a fancy way of saying that it allows a hacker to run a script from another site and steal login credentials. XSS means “Cross-Site Scripting” and is one of the more common exploits on the web.
So essentially a hacker would create a URL on the site and when someone clicks to it, it would run the script hosted on the external site. At that point, the script would send a link to the user and steal their login information.
Does The New Elementor Exploit Affect Everyone?
If you have Elementor version 2.8.4 and earlier, then you’re affected and need to update. To update Elementor is a fairly simple task. Just log in to your WordPress admin area, click to Plugins, and then next to the Elementor plugin, click the update (it should show that a new version is available).
As always, before making any updates on a website, we strongly advise making a website backup. You will want to make one of your file system and one for your database. Many control panels with hosting companies offer a One-Click-Backup option where it will back both up at the same time. Just download it so you have a copy and then you can proceed with the update. If someone goes wrong with the update, at least you have a file to restore from or provide to your host for further assistance.
How Can I Prevent This In The Future?
For the most part, exploits are just one of those things that happen and you really can’t prevent them. It’s inherent in the code. Thankfully though, the team at Elementor is on top of their game and they updated the plugin very quickly.
Any plugin that you use on your site needs to have an active development community. This is one of the reasons that we don’t recommend keeping a plugin if there have been no updates in the past 6 months. Yes, we understand that not everything needs an update, however, if there’s no communication or updates, to us, the plugin is a candidate for replacement. At the very least, a developer should be updating their plugin to say that it’s compatible with the X.X.XX version of WordPress. A new version of WordPress is released every few weeks, so the plugin should be tested and updated also.
Big Red SEO Can Take Care Of Your Plugin Updates
We perform both on-demand plugin updates and also regularly scheduled monthly management for WordPress. To us, there’s more to a plugin update than just clicking a button and hoping it works. Here are the steps we use and recommend you use also;
- Generate a website backup
- Restore the backup to a testing site
- Install and test the new updates
- Once everything is working, repeat the process on the Live Site
- Generate a final backup of everything working
- Delete the testing site
We use this process with every plugin and WordPress core update we perform on a website.
We offer a monthly WordPress Management Package which monitors and takes care of all plugin updates, WordPress Core Software Updates and generates regular backups of your website. The package is available in Quarterly, Semi-Annual and Annual flavors (annual gets a nice deep discount). If you’re interested in monthly management for your WordPress website, please contact us and we’ll be happy to chat and provide pricing.