Security vulnerability solved on version 2.9.4

Q: What steps should I immediately take?

A: Update your Elementor Pro version to the latest one, 2.9.4. Also, head over to Settings » General page in your WordPress admin area. Scroll down to the ‘Membership’ section and uncheck the box next to the ‘Anyone can register’ option unless you activated it intentionally and need it for your website.
The vulnerability allows malicious files to be uploaded to the site via the Icon Sets Zip file uploading system. We want to emphasize that this loophole only affects Elementor Pro sites with a specific WordPress option active, namely the ‘Anyone can register’ option. We have already released a new version of Elementor Pro which resolves this vulnerability with two main fixes: 

  • Only Administrator role users can upload Icon Sets.
  • Only authorized files can be processed via a ZIP file.

Q: Who is exposed to this vulnerability and to which version of Elementor does this apply? 

A: The exploit uses the Custom Icons zip files upload mechanism to inject malicious files. The Custom Icons feature was introduced in Elementor Pro 2.6. Users with this and later versions (except 2.9.4) might be exposed and should take action to ensure their site safety. Users that have their site hosted on a server that restricts .php files execution in uploads folder are unlikely to be exposed to this vulnerability.

Q: How do I know if my site was affected? 

A: Check your WordPress users list to see if any new unknown user has registered, especially if you control who registers to your site. If so, it still doesn’t mean that your site is affected: check your Custom icons folder in uploads directory: /wp-content/uploads/elementor/custom-icons/ and check in the inner Custom Icons folders for any unknown .php files. “index.php” is part of the original files. If you find any trace of the mentioned above items, it is likely that your site has been compromised. 

Q: What should I do in case my site was affected? 

A: If you think your site was compromised, delete any unknown users, change passwords to your registered users, and contact your hosting provider to let them know about the issue for further assistance. Restoring from a backup prior to the infected custom icons library creation date might be a viable solution for you. 

Q: Do security issues happen often? 

A: Fortifying security is a continuous process, not just a single effort. Whenever we identify a threat, we always remain vigilant and release a fix as soon as possible.


When we first discover a security vulnerability, we start by examining it and understanding it from each angle. In order not to jeopardize our users before issuing the fix, we keep the reported issue discrete. Once we issue the fix, we can go on to inform users about the vulnerability and its resolution.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.