There is indeed a security issue with Elementor 2.7.6, that was fixed in version 2.8.5. It’s this one: https://www.wpvulndb.com/vulnerabilities/10051 I also can’t find any evidence that a version 2.7.7 exists to fix this vulnerability.
I started a fork so that ClassicPress users can continue using Elementor without security issues for the time being. It is a beta version and needs more testing before being used on production sites. More details: [BETA] Fork of Elementor with ClassicPress support
Thanks @trying for the information and the idea to fork Elementor, and thanks @zulfgani for the suggestion to split the fork out into a new thread.