Two websites got hacked

  • Resolved tottoholm

    (@tottoholm)


    1 year, 6 months ago

    I have your plugin installed on two websites I’ve created and they both got hacked because of a vulnerability in your coding.
    https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites/

    Got this mail from my hosting provider:

    You are receiving this email because you manage domain names with web hosting using WordPress, with the extension “Essential Addons for Elementor” (essential-addons-for-elementor-lite).

    On May 12, a security hole was made public in the extension that allows anyone to reset passwords for all users in WordPress. We have discovered that this has been exploited at the following web hosting associated with your account:”

    When are you going to fix this? This has been happening since last week and there is still no update on your plugin to patch it. This is a massive security risk and the lack of action on your part is shocking. I don’t think I will use your plugin in the future.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Zeba Afia Shama

    (@zebaafiashama)

    Hello @tottoholm

    We are extremely sorry for the inconvenience.

    We are aware of the issue and we patched a release as soon as the issue has been reported. We strongly recommend updating your Essential Addons for Elementor to version 5.7.2.

    Here’s the timeline of the fix:

    11 May, 2023 – Essential Addons for Elementor version 5.7.2 was published to patch the reported issues.

    Please see the screenshot here: https://d.pr/i/7KwrZT

    You may also check the EA Changelog here: https://essential-addons.com/elementor/changelog/

    We sincerely apologize for the inconvenience caused, and please rest assured that we have implemented strict security measures to ensure that such incidents never occur in the future.

    Thank You

    Thread Starter tottoholm

    (@tottoholm)

    Hello and thank you for your attention.

    I have manually removed the malware on one website and I’m in the process of repairing website number two. I’m happy that you were on the case fast, but if you tested your plugin properly before you released it, this wouldn’t have been an issue. But it’s good to see that you are taking the massive security risk seriously and that you patched it early.

    The plugins were on automated update, so that is the reason why I didn’t see the patch. I’m sorry about the misinformation about you not having patched it yet.

    Thank you also for your fast reply. Have a good day.

    Plugin Support Abid Hasan

    (@abidhasan112)

    Hi @tottoholm ,

    Great to hear that everything is resolved on your end! We appreciate your feedback regarding our update, and please rest assured that we prioritize website security before any release. Moving forward, we will exercise extra caution regarding the security of our plugins.

    In fact, we addressed the security issue promptly on the same day it was reported. We value your understanding, and we hope you have a wonderful day!

    Please don’t hesitate to reach out to us if you have any further suggestions. Have a great day!

    What about the Pro version. Is it safe?

    I would also like to know if the pro version 5.4.5 is impacted. It won’t let me update it to 5.4.9 even though I have a valid license.

    Plugin Support Abid Hasan

    (@abidhasan112)

    @klngroup @djw0510 , We’ve taken care of the PRO version as well and released an update. If you’re not getting a PRO plugin update please contact our support channel for assistance.

    Note that, As per WordPress Org guidelines, let’s not talk about the PRO/commercial plugin here. Please contact us from here, we will help you.

    Thank you!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Two websites got hacked’ is closed to new replies.