Home > Tech

This WordPress plugin for Elementor leaves websites vulnerable to hackers

Update your plugin ASAP to close this security flaw that allows hackers take over vulnerable websites.
 By 
Matt Binder
 on 
Share on Facebook Share on Twitter Share on Flipboard
WordPress security flaw
A popular plugin for WordPress website builder Elementor has a serious security flaw. Credit: Filip Radwanski/SOPA Images/LightRocket via Getty Images

If your website is powered by the WordPress page-builder Elementor, double-check if you're using this popular plugin. Because, if you are, hackers can easily stage a complete takeover of your website thanks to a newly discovered security flaw.

Security researchers at Patchstack have released a new report about a concerning cybersecurity issue related to the WordPress plugin Essential Addons for Elementor. The plugin provides users with an assortment of pre-built WordPress blocks and templates for use when creating or updating their website.

"This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site," writes Patchstack in its report.

You May Also Like
SEE ALSO: This Google AI keynote could have been a Gmail

Basically, malicious actors can take advantage of this to reset the password of any user, including the administrator's account. If that latter account's password is reset, a hacker could basically have access to the entire website – backend and all – and take control of the site from its rightful owner. If a targeted website stores user information, this bad actor would have access to and control of that as well.

"This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user," explains Patchstack.

Update the plugin as soon as possible

The plugin vulnerability has since been patched and Essential Addons for Elementor users are being urged to update to version 5.7.2. All versions of the plugin prior, going back to version 5.4.0, are affected by the vulnerability. So, be sure to update the plugin!

More than 43 percent of all of the websites on the internet use WordPress. Elementor is a popular website builder for WordPress-powered sites. More than 12 million WordPress-sites utilize Elementor. According to the WordPress Plugin Directory, more than 1 million active websites have the Essential Addons for Elementor installed.

Topics Cybersecurity

Mashable Potato
Recommended For You
Iran-linked hackers launch cyberattack against U.S. medtech company Stryker
By Matt Binder
Stryker logo on medical equipment
Get websites up and running for less than $17 a year with this hosting deal
By Sponsored by StackCommerce
IONOS Web Hosting Plus Plan: 3-Year Subscription
Windows 10 is vulnerable, but upgrading to Windows 11 Pro is only $13 right now
By Sponsored by StackCommerce
Laptop on desk
How hackers are stealing millions from ATMs, FBI warns
By Tim Marcin
a card being inserted into an atm
At CES 2026, Samsung’s AI Living vision leaves no device un-AI’d
By Chance Townsend
large entrance to Samsung exhibit
Trending on Mashable
NYT Connections hints today: Clues, answers for April 3, 2026
By Mashable Team
Connections game on a smartphone
Wordle today: Answer, hints for April 3, 2026
By Mashable Team
Wordle game on a smartphone
What's new to streaming this week? (April 3, 2026)
By Belen Edwards and Kristy Puchko
A composite of images from film and TV streaming this week.
Wordle today: Answer, hints for April 2, 2026
By Mashable Team
Wordle game on a smartphone
NYT Strands hints, answers for April 3, 2026
By Mashable Team
A game being played on a smartphone.
The biggest stories of the day delivered to your inbox.
These newsletters may contain advertising, deals, or affiliate links. By clicking Subscribe, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up. See you at your inbox!