CVE-2023-48777: Elementor Exposed 5 Million Websites to Hackers

A critical security flaw was found in Elementor, a popular WordPress website builder plugin used by over 5 million websites worldwide.

The vulnerability, identified as an ‘authenticated arbitrary file upload’ issue, was initially discovered by security researcher Hồng Quân and reported to the Patchstack alliance program. It’s a weakness that allows accounts with edit post permissions, such as those with the Contributor role, to upload potentially malicious files, including PHP files, which could lead to remote code execution. This vulnerability, tagged CVE-2023-48777, appeared in version 3.3.0 and was fixed in version 3.18.2.


Elementor has been the go-to WordPress plugin for many, offering an intuitive visual builder to create professional and pixel-perfect websites without writing a single line of code. However, this ease of use came with a hidden cost: a backdoor for attackers. The vulnerability lay dormant in the plugin’s ‘handle_elementor_upload‘ function, which failed to validate file types before uploading, thus allowing for arbitrary file uploads.

The response to this vulnerability was a two-step process. The first patch, released in version 3.18.1, attempted to sanitize file names to prevent files from being saved outside the intended directory. However, this was only a partial fix, as it didn’t fully address the ability to upload arbitrary files. The second patch in version 3.18.2 introduced a more robust check, ensuring proper validation of file names and extensions, thereby plugging the CVE-2023-48777 security hole.

If you use Elementor on your website, it’s crucial to update to version 3.18.2 or later immediately. This will ensure your website is protected from this critical vulnerability. Additionally, it’s good practice to regularly update all your plugins and WordPress core to stay ahead of potential security threats.

Here are some additional tips to stay safe:

  • Use strong passwords and enable two-factor authentication for all your WordPress accounts.
  • Regularly back up your website data.
  • Keep your WordPress core, themes, and plugins updated to the latest versions.
  • Install a security plugin to help identify and prevent vulnerabilities.
  • Use a web application firewall (WAF) to further protect your website from attacks.