Over 3.5 Million Websites Vulnerable to Multiple ‘Elementor’ Flaws

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

A team of researchers at Wordfence warns about a set of 17 ‘Elementor’ plugins vulnerable to recently-disclosed vulnerabilities affecting over 3.5 million websites. The flaws allow any user to access components that should be out of their reach - like the Elementor editor - and add JavaScript snippets into the posts.

Whenever that post is viewed, edited, or previewed by another user of the website, the snippet runs. If the code is crafted maliciously, the possibilities could go as high as gaining admin access on the site.

The following plugins are vulnerable to these cross-site scripting flaws:

If you manage a website using any of the above plugins, make sure to update to the latest available version to avoid any nasty XSS surprises to you or your contributors. Remember, the attacks rely on privilege escalation, so seeing your website taken over and wiped just because you were running a vulnerable Elementor plugin is possible.

If you are a developer who publishes plugins to help extend the functionality of Elementor, you should also review your code and scrutinize the base that you’ve used for relevant flaws. While these vulnerabilities aren’t being exploited en masse, they are excellent tools for highly targeted actors.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: