Marketing 2 min read

Researchers Report Security Flaws in Elementor Page Builder Plugin

Image courtesy of Elementor

Image courtesy of Elementor

Researchers have discovered a vulnerability called Authenticated Reflected XSS in the WordPress page builder, Elementor.

With over 3 million installs, Elementor is one of the most popular plugins on WordPress. Users depend on the plugin for frontend drag & drop page designs.

While the plugin appeared to function correctly, a website security firm,, thought Elementor may contain a bug or two. So, it set out to identify the security risks in the plugin.

The security company wrote in a blog post:

“The plugin seems to be very well implemented, but there is always a sneaky XSS somewhere. So in comes Burp Suite’s intruder dropping a whole heap of payloads into every dynamic part of the application….and…!”

Upon discovering the vulnerabilities, contacted the publishers of Elementor Page Builder and the WordPress plugin was immediately updated.

Here’s what you should know about the security flaw.

About Authenticated Reflected XSS in Elementor Page Builder

If exploited, the security flaw can enable hackers to run a script from another website to steal login credentials.

Attackers could cause a script to be loaded to the vulnerable site through a search box, for example. Then, they can create a URL that would execute the script when followed.  Finally, the hackers can forward the link to the person whose credentials they intend to steal.

To give users time to update, the proof of concept will remain hidden until February 12th. So, it’s unclear whether an attacker can use this exploit to steal and Elementor publisher’s admin details.

The one clear thing is that you need to log into your WordPress site to update the Elementor Page Builder.

The vulnerability affects version 2.8.4 of the plugin and older. So, you may want to update to the latest version, 2.8.5.

In your WordPress account, you should see an update link from the admin navigation ribbon at the top of the page. Another option is to access the update page via the link in the admin sidebar.

Read More: NSA Discovers Major Security flaw in Microsoft’s Windows 10

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Sumbo Bello know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.

Profile Image

Sumbo Bello

Sumbo Bello is a creative writer who enjoys creating data-driven content for news sites. In his spare time, he plays basketball and listens to Coldplay.

Comments (0)
Most Recent most recent
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.