Good bye Elementor?

This was the turn off for me when I first looked at Beaver Builder and it still does today. I think the team behind it need to beef up the lite version (remove Lite to start with and replace it with Core), add a few more modules and push the ecosystem (lagging way behind other builders) around it to really make it shine.

If the above start to happen I may get behind it but as it is for the moment it’s just meh and not worth investing time in. I know I could take the initiative and build an addon but I’ve learned the hard way with Elementor in the past :unamused:

2 Likes

Just updated Elementor on a development site (witrh CP 1.1.1, and I can confirm that Elementor no longer works with CP (or WP4.9.x).

Rebuilding the site at this stage (and learning a new page-builder is out of the question. So, I’ll have to get back to Elementor 2.7 (somehow, as had updated from 2.5).

Longer term, will have to decide to go back to WP or find an alternative to Elementor. I’ve got until the middle of February to decide when the Elementor Pro licence runs out).

I hate building and maintaining websites these days. Perhaps it’s time the chuck the whole thing.

4 Likes

From the looks of blocks instead of themes, staying with WordPress might entail a lot of work to re-theme your site.

3 Likes

You may very well be my first customer.

Take a look at cpforks.com which I have just made for exactly this reason.

5 Likes

There’s a plugin called WP Rollback, which helps you install specific versions of plugins.
The one called WP Downgrade is for specific versions of WP.

You might want to try converting from Elementor. I haven’t looked for it, but there might be a plugin. Or you could use code that replaces those shortcodes with their output. Or use a plugin like WP Scraper to save the expanded version of the pages (no shortcodes). Or make your own fork of the plugin like Aussie says.

Edit: I forgot to mention that there is a service for matching a theme: http://www.themematcher.com/

My site doesn’t make a fork as such, it simply gives you version 2.7.5 as 5.0.0 and prevents it being installed on a WordPress site.

It is more for someone who doesn’t already have Elementor (or any plugin listed) installed and find they can’t install the current version on ClassicPress.

A lot of users aren’t aware you can download previous versions of a plugin from the WP repo, or that you can’t simply overwrite your current version, without deleting or renaming it.

If you are already on 2.7.5 or 2.7.6, then there is no need to rollback. Why rollback to 2.5 when 2.7.5 works better?

1 Like

I was just checking viability of running Elementor 2.7.6 but notice an XSS vulnerability from last month.

You may be aware already:
https://www.wpvulndb.com/plugins/elementor

10051 and 10052 indicates it was patched for 2.7.6 (in 2.7.7) and in 2.8.5

https://www.wpvulndb.com/vulnerabilities/10052

As Elementor v2.8.x requires WP 5.x that leaves the mystery of whether Elementor v2.7.7 exists. Maybe it just shows in the wpvulndb site as a ‘placeholder’.

WP Rollback lists v2.8.5 (but does not list v2.7.7 - it may not actually exists as it is not on the download.wordpress.org server.)

Time permitting, I may try to look at changes between 2.8.5 and 2.8.4 (i.e. try to isolate the security fix) and see if a patch to 2.7.6 is possible.

Has anyone been down this road?

P.S. Why do this? 1 stable theme running using Elementor which could then keep running long-term on WP4.9 or of course ClassicPress v1.x

Maybe there are/will be others with a similar sitution.

2 Likes

From Sucuri:

“This vulnerability is exploitable on sites which allow users to have accounts and are using Elementor versions lower than 2.7.6, released last December.”

Seems to suggest 2.7.6 is safe to me?

The fix was done in v2.7.6 as indicated in the changelog with “Fix: Added HTML escaping to Admin class and to System Info”

2 Likes

My bad.

However - and please check me here - it appears there were 2 XSS vulnerabilities approximately a month apart.

(As they added them both to their database on 29 Jan 2020, have similar names, combined with it showing one ‘fixed in 2.7.7’ which as you both say should read v2.7.6 , that threw me a bit.)

1. Authenticated Stored XSS

2.7.6 – 2019-12-08 changelog

Fix: Added HTML escaping to Admin class and to System Info

yes that one looks like it is fixed in v2.7.6

2. Authenticated Reflected XSS

2.8.5 – 2020-01-27 changelog

Fix: Added data sanitization on System Info

that could still be a problem in the earlier version.

Possibly the problem was introduced after v2.7.6 but I have not looked at source code yet.

I know some of you may be running this in production.

This approach may help:

  • look at changes between v2.8.5 and v2.8.4 (i.e. try to isolate the security fix)

  • identify the problematic code and see if it exists in v2.7.6 [if not, no problem]

  • if it does, try to fix v2.7.6

Sorry for the confusion. :grimacing:

1 Like

4 posts were split to a new topic: [BETA] Fork of Elementor with ClassicPress support

There is indeed a security issue with Elementor 2.7.6, that was fixed in version 2.8.5. It’s this one: https://www.wpvulndb.com/vulnerabilities/10051 I also can’t find any evidence that a version 2.7.7 exists to fix this vulnerability.

I started a fork so that ClassicPress users can continue using Elementor without security issues for the time being. It is a beta version and needs more testing before being used on production sites. More details: [BETA] Fork of Elementor with ClassicPress support

Thanks @trying for the information and the idea to fork Elementor, and thanks @zulfgani for the suggestion to split the fork out into a new thread.

5 Likes