Building from source like this is the best way to do a maintainable fork, but the hard part was getting the plugin to build correctly.
Expand for technical details
It looks like the version of Elementor that was released as https://downloads.wordpress.org/plugin/elementor.2.7.6.zip had some extra things done to it that arenāt in this GitHub repository. I canāt find out where the following files in this plugin were coming from:
There are also some differences in the built JS and CSS files, it looks like this is because Elementor doesnāt lock their webpack and other build dependencies to specific versions. From a quick look I donāt see anything that looks like it will cause problems.
So now we have a version of Elementor 2.7.6 that includes the security fix from Elementor 2.8.5.
I did a VERY basic test (created, published, then edited a very simple page) and it seems to work OK. This is very much a beta release (needs more testing before I can recommend it to be used on production sites) but you can try it here:
That looks like a bugfix rather than a security issue, though I donāt know enough about Elementor to see exactly what itās doing.
This is just a starting point, right now my goal is to provide an option for people to run Elementor without security issues, since they dropped support for WP 4.9.x in version 2.8.0.
The same as before, anyone is welcome to submit issues and PRs, but this makes it a bit clearer that this plugin is meant for the ClassicPress community to use and maintain.
It might be best to remove āElementorā from the name, and eventually from the code. Thatās the only legal issue with forking plugins. Otherwise youāll be in this situation:
With $15mil they have more money to spend with lawyers now
The implications here are not limited to just the name. Iād assume Elementor would take issues to the forked version having to access their server to retrieve the pre-designed pages and sections (templates)!
Iām going to make an assumption that the free templates form an integral part of the free version and therefor are released under the terms of the GPL. The pro versions however are not since the pro addon is not GPL.
Iām looking at doing a bulk import of the free versions and maintaining them on either my server or in a repo on GitHub. If Iām going to host them on my server then Iāll need to figure out how to setup the REST API endpoints to serve them from - fun times ahead
Yes something similar but would like to hook it to the builderās own CPT instead of creating a new one.
Trying to figure out how Elementor have set their up to return the info.json and then serve the templates remotely.
GitHub might work if thereās an Action to automate the info.json - I have a rough proof of concept addon and to figure out the info automation part. The good thing with the self hosted CP already provides the API.