Popular WordPress page builder, Elementor has a vulnerability called an Authenticated Reflected XSS. This kind of vulnerability allows a hacker to run a script from another site and do things such as steal login credentials.
The vulnerability involves causing a script to be loaded to the vulnerable site (for example through a search box), creating a URL that when followed will execute the script (that is hosted on another site). The hacker then sends a link to someone whose credentials could be stolen by the hacker.
It’s left unsaid if a hacker can use this exploit to steal an Elementor publisher’s admin credentials.
According to the WordPress Vulnerability Database, the proof of concept is being hidden until February 12th to give users time to update.
The website security company site that discovered the vulnerability (Impenetrable.tech) have published a walk-through of how they discovered the security flaw.
Once they discovered the vulnerability they contacted the publishers of the Elementor Page Builder plugin and the publishers updated it right away.
Only after Elementor was patched did the security site publish an account of the vulnerability.
This vulnerability affects versions 2.8.4 and older. It is advisable to log into your WordPress website and update your site if you use the Elementor Page Builder plugin. The most current version of Elementor Page Builder is 2.8.5.
Once you sign into your WordPress account there should be an update link from the admin navigation ribbon at the top of the page, or you can access your updates page from the link in the admin sidebar to view all available updates.