That looks like a bugfix rather than a security issue, though I don’t know enough about Elementor to see exactly what it’s doing.
This is just a starting point, right now my goal is to provide an option for people to run Elementor without security issues, since they dropped support for WP 4.9.x in version 2.8.0.
I’m now going to revisit all of the stalled Elementor developments so that they can have a new life!
Thank you James - that may have taken me all week! 
I glanced at an Elementor v2.7.5 install and that did not have the files you refer to, either. So far your fork is operating fine without them.
I have briefly tested the ‘Premium Addons for Elementor plugin’ with your fork, which installed and appears to function fine, as expected.
Next step, I’ll test some more complex theme pages on a staging site.
This is a mammoth task, well done James!
The real work is in keeping up with this afterwards. For example Elementor has made almost 2,400 commits since version 2.7.6 was released.
Needless to say I’ll need some help from the community in maintaining this.
Probably should update 159 to point to this thread: Plugins Confirmed Working on ClassicPress v1
Those were my first thoughts when I saw the announcement.
Could be moved to the ClassicPress Research repo?
This was my aim also.
Hopefully a stable platform to run on.
I don’t need the new features, so would be happy with a fairly static fork that includes security patches.
Bug fixes would be a nice to have.
Someone else may want to build upon that (in another fork?) and include (overlay) some of the newer features, albeit they may need re-writing.
I can’t promise anything, but will try to look at tidying up a few things.
The same as before, anyone is welcome to submit issues and PRs, but this makes it a bit clearer that this plugin is meant for the ClassicPress community to use and maintain.
It might be best to remove “Elementor” from the name, and eventually from the code. That’s the only legal issue with forking plugins. Otherwise you’ll be in this situation:
With $15mil they have more money to spend with lawyers now 
The implications here are not limited to just the name. I’d assume Elementor would take issues to the forked version having to access their server to retrieve the pre-designed pages and sections (templates)!
That’s true too. I wonder how licensing applies in situation like this.
Those templates might eventually stop working if they begin using new features forked plugin doesn’t have.
I’m going to make an assumption that the free templates form an integral part of the free version and therefor are released under the terms of the GPL. The pro versions however are not since the pro addon is not GPL.
I’m looking at doing a bulk import of the free versions and maintaining them on either my server or in a repo on GitHub. If I’m going to host them on my server then I’ll need to figure out how to setup the REST API endpoints to serve them from - fun times ahead 
Yes something similar but would like to hook it to the builder’s own CPT instead of creating a new one.
Trying to figure out how Elementor have set their up to return the info.json and then serve the templates remotely.
GitHub might work if there’s an Action to automate the info.json - I have a rough proof of concept addon and to figure out the info automation part. The good thing with the self hosted CP already provides the API.
“When using the Elementor and Elementor Pro software, you receive all rights granted under the GPL.”.
Been over a year since a last touched the pro addon - didn’t realize they made it GPL compatible.
That makes things even more interesting