The Elementor plugin (version 2.7.4 and below) was found to be vulnerable to an arbitrary file upload. Due to the application not handling zip files with directories properly an attacker could upload php files which were executable, this allowed any user able to import templates (WordPress role "Contributor" or above) to execute commands on the underlying server.
Fixed in version 2.7.5✓
Sam Thomas and Kyle Fleming
2020-01-14 (about 1 years ago)
2020-05-13 (about 1 years ago)
2021-01-19 (about 10 months ago)