The developers of the Elementor Website Builder plugin for WordPress have released a new version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. A threat actor creating a normal user account on an affected website could change the name and theme of the affected site making it look entirely different.

The vulnerability appeared in Elementor 3.6.0, released on March 22, 2022.

Source: securitylab.ru