From blog.sucuri.net
On April 12th, an important security update was released for the Elementor plugin patching a critical remote code vulnerability which allows all authenticated users, including subscribers, to upload and execute arbitrary PHP code on a vulnerable website.
This vulnerability, identified as CVE-2022-1329, is extremely severe. With over 5 million active installations of Elementor at the time of writing, a significant number of websites are impacted.
WordPress websites using the Elementor plugin should patch immediately. Sucuri web application firewall users are protected from this issue.