A potentially dangerous vulnerability has been discovered in a major WordPress plugin that is used by over a million websites around the world.
A major Remote Code Execution (RCE) bug was discovered in the Essential Addons for Elementor plugin, allowing potentially malicious attackers to launch a local file inclusion attack.
How The Attack Works
An RCE attack lets an attacker to run malicious code on a computer from a distance. RCE attacks can range from the execution of malware to the complete control of a compromised machine.
On January 25th, 2022, Cybersecurity researcher Wai Yan Muo Thet uncovered a vulnerability in the plugin and reported it to PatchStack. PatchStack clients received a virtual upgrade the next day as well.
Also Read: Nokia Smartphones Will Last Even Longer Soon
Patchstack is a WordPress security company that tries to keep websites safe against plugin flaws.
The owner of the plugin WPDeveloper was aware of the vulnerability prior to the attack and had made two unsuccessful attempts to address the problem.
PatchStack released a summary of the flaw, stating that:
A local file inclusion attack can be carried out by any user, independent of their authentication or authorisation status. Local files on the website’s filesystem, such as /etc/passwd, can be included using this approach. This can also be used to achieve RCE by including a file containing malicious PHP code that would otherwise be impossible to run.Advertisement
The vulnerability only exists if the dynamic gallery and product gallery widgets are used, according to PatchStack, because both use the vulnerable functions.
Also Read: A Recap of Developers’ Game Jam 2.0 by Epiphany Games
Previously, versions 5.0.3 and 5.0.4 of the plugin tried but failed to fix the problem. With the release of version 5.0.5 last week, a full patch was made available.
Essential Addons for Elementor is used by over a million WordPress websites. However, how many of them have the widgets activated is unknown. Despite the fact that over 400,000 websites have already upgraded to the patched versions of the plugin, 600,000 websites are still possibly vulnerable.