WordPress plugin exposes half a million sites to attack
A popular WordPress plugin used by more than a million websites all over the world has been found to be carrying a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.
Cbersecurity researcher Wai Yan Muo Thet discovered the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, and reported it to Patchstack the same day.
WPDeveloper, the owner of the plugin in question, was already aware of the vulnerability, and has already made two unsuccessful attempts to fix the issue.
Fixing the issue
“The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions,” PatchStack explained.
The only thing the vulnerable site needs, is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.
Versions 5.0.3 and 5.0.4 both tried to address the problem, which was finally solved in version 5.0.5. At the moment, some 400,000 websites have upgraded the plugin, meaning roughly 600,000 are still vulnerable.
Those running Essential Addons for Elementor have two ways to go about fixing the issue: either downloading the latest version from this link, or heading over to the WordPress dashboard and triggering the update directly from there.
WordPress plugins have proved popular targets for hackers attacking major vulnerabilities in recent months. In November 2021, researchers found a website takeover flaw in the Preview E-mails for WooCommerce addon, while in December 2021, a vulnerability in the popular WPS Hide Login plugin could have allowed attackers access to a site’s administrator login page.
The good news is that the plugins’ owners are usually quick to react, when the vulnerabilities are disclosed. Webmasters running WordPress sites are advised to keep all of their addons updated at all times, to bring the risk of an attack down to a minimum.
Via: BleepingComputer