Elementor is a drag-and-drop website builder for WordPress that has more than 5 million installations.

Considered critical, the newly addressed vulnerability was apparently introduced on March 22, in version 3.6.0 of the plugin. Roughly one-third of websites were running a vulnerable version when the bug was found.

Researchers with Plugin Vulnerabilities, who identified the flaw, say that the issue exists because some functionalities did not perform capability checks, thus becoming available to users who shouldn’t have had access to them.