Recently, a security vulnerability in Elementor, a popular WordPress plugin, made headlines. Two databases rated its severity at a staggering 9.9 and 8.8. This raised immediate concerns, leading to a straightforward action plan: “Stop everything and update Elementor first.” But is it really that simple? Let’s delve into the key questions:

Are millions of Elementor sites at risk?
Is there an urgent need to update your site, risking potential breakdowns?

The Confusion and Misinformation

The vulnerability databases heightened concerns by stating the issue remained unresolved at the time of disclosure. Some even suggested uninstalling the plugin. This sparked a wave of negative sentiment, with claims that millions of sites were at risk of being hacked. For any average user, this situation is undeniably confusing. While recognizing the importance of vulnerability databases, it’s crucial to acknowledge the potential harm caused by sensationalism, especially in the WordPress ecosystem, where misinformation is rampant.

The Reality of the Threat

The vulnerability in question allows contributors to gain Remote Code Execution (RCE) access. Undoubtedly, unauthorized access of this nature is a serious issue. Yet, most hacks originate from external sources, not insiders. While contributors can inflict damage like inserting malware or spam links, our analysis reveals a different story.

We examined the sites under our protection and found only 0.8% have active contributors. More sites have authors and editors, nearly 10% combined, who already possess significant access. Interestingly, less than 0.03% of sites allow outside contributors to register, which are the genuinely vulnerable ones. The distribution of default roles with registration enabled is as follows:

Contributor: 0.036%
Author: 0.032%
Editor: 0.008%
Administrator: 0.12%

Notably, administrator registration being open is often a sign of a previously hacked site.

Addressing Misconceptions

Contrary to claims by another security provider, the number of sites with open contributor registrations is not as high as feared. Fortunately there have been some tweets mentioning the same.

But at same time others are muddying the situation further.

Our Proactive Approach

We’re not suggesting blind trust in all authors, editors, etc. Therefore, we’ve implemented a rule on our firewall to safeguard all sites with the vulnerable plugin. We also recommend having an activity log plugin installed to track the activities of all users on your site. However, we emphasize the need for balanced reporting on such issues to prevent panic.

Answers to the Big Questions

Only around 2,000 sites are truly vulnerable.
If your site isn’t among these 2,000, don’t panic. Updating Elementor is wise, especially if you’re near the latest version. Older versions can be updated systematically.
Bonus Tip: Employ a robust firewall for added protection.
Second Bonus: Avoid falling for sensationalist reporting.

How to Check Your Site’s Vulnerability

To see if your site is open to contributor+ registrations:

In wp-admin, go to Settings > General > Membership.
Check if “Anyone can register” is ticked and the “New User Default Role.”

Our Solution: Atomic Security

WordPress has safeguards against unauthorized privilege escalation, but these can be misconfigured or overridden. That’s where our Atomic Security comes in. By integrating deeply with WordPress and adopting a low-trust approach, we pre-emptively protect against such vulnerabilities.