Elementor resolves security vulnerability in Elementor Pro
The issue has been resolved, please update to Elementor Pro 3.11.7 or higher.
A security vulnerability was reported to Elementor on March 18th, 2023. Our team worked diligently as soon as it was discovered to deploy an emergency fix, which has been introduced in Elementor 3.11.7 on March 22, 2023.
Does this concern me?
If you have an older version of Elementor Pro (3.11.6 or older) AND WooCommerce installed on your website, you may be exposed to this security vulnerability.
What should I do next?
Update your website to the latest versions of Elementor and Elementor Pro. In general, it is recommended to always keep your website plugins up to date, as this can reduce the likelihood of security and incompatibility issues.
What do I do if my website’s been hacked?
Restore a clean backup of your website, if you have an Elementor Hosting plan, this guide can help otherwise, your hosting provider can help with this if needed. Once your clean backup has been restored, update to the latest version of Elementor Pro.
Elementor’s Bug Bounty Program
This is also a good opportunity to remind you that we welcome ethical disclosures as part of our publicly available Bug Bounty program (bugcrowd.com/elementor). We’re inviting our community to be rewarded for uncovering issues and potential risks to Elementor, helping us to enhance our security posture and continue to empower web creators with the best web creation platform.
Bug Bounty Program: https://elemn.to/bug-bounty
If you need additional assistance, you can reach out to support by going to your account’s dashboard and opening a ticket.
FAQ
Q: What happened?
A: A security vulnerability was reported to Elementor on March 18th, 2023. Our team worked diligently as soon as it was discovered to deploy an emergency fix, which has been introduced in Elementor 3.11.7 on March 22, 2023.
Q: How do I know if my site was affected?
A: Only websites that have WooCommerce installed, AND are on an earlier version of Elementor Pro [3.11.6 or earlier]. Aside from updating to the latest version of Elementor Pro, check your WordPress users list to see if any new unknown user has registered, especially if you control who registers to your site.
Q: Why didn’t Elementor send me a message the moment this happened?
A: As always, when there are any security issues, we measure their impact and try to ensure we do not alert abusers on how the vulnerability can be exploited. We focus our efforts on getting a fix out there as soon as possible. When the issue is contained we quickly inform our users via several channels, including email.
Q: What steps should I immediately take?
A: Make sure your website is updated to Elementor Pro 3.11.7 or higher.
Q: Who is exposed to this vulnerability?
A: Users who have an older version of Elementor Pro (3.11.6 or older) AND WooCommerce installed.
Q: What should I do if my site was affected?
A: Restore a clean backup of your website, if you have an Elementor Hosting plan, this guide can help. Otherwise, your hosting provider can help with this if needed. Once your clean backup has been restored, update to the latest version of Elementor Pro.
Q: Do security issues happen often?
A: Fortifying security is a continuous process, not just a single effort. Whenever we identify a threat, we always remain vigilant and release a fix as soon as possible.
Q: How do I know if and when the security issue has been contained / fixed? / Where do I go for the latest updates about security issues?
A: Follow our social media channels and especially our Global Elementor Community, Status page, changelog, and when relevant, in a separate email.
Q: Where do security issues come from / what causes them?
A: Sadly, there will always be people with bad intentions who try to abuse other sites.
As always if you have more questions our team is always available to help, and you can reach them by opening a support ticket