Essential add-ons to Elementor, a well-known WordPress plugin that is used on over one million websites it was discovered to be vulnerable to a critical remote code execution (RCE) vulnerability in the version 5.0.4 and up.
The flaw permits users who are not authenticated to execute an attack that involves local files for example, the inclusion of a PHP file, in order to perform code within the website.
“The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.” The explanation explains PatchStack researchers who found the vulnerability.
The only requirement for the attack is to be running”dynamic gallery” and “product gallery” “dynamic gallery” and “product gallery” widgets activated to ensure that a no token verification is enabled.
Two patching attempts that failed
The researcher Wai Yan Muo Thet discovered the vulnerability on January 25 2022. The plugin’s creator was aware of the vulnerability prior to the date.
However, this process isn’t a barrier to the inclusion in local data payloads.
The next version was version 5.0.4 that added an “sanitize_file_name” function and attempted to get rid of special characters such as slashes, dots, dots and any other elements you can use to taking over the text sanitization procedure.
This is the version that Patchstack examined and found to be vulnerable and advised the developer that the fix had not mitigated the vulnerability sufficient.
In the end, the author published version 5.0.5 that included the PHP “realpath” function, preventing fraudulent pathname resolutions.
Update and minimize
The version was released last week on January 28, 2022 and it has been downloaded approximately 380,000 times as per WordPress’ download statistics.
With the plugin being installed on more than 1 million WordPress websites this means that there are more than 600K WordPress sites that haven’t yet implemented the security update as of yet.
If you’re one of those who use Essential Addons for Elementor, you are able to download the most recent version here or install the update directly through the dashboard of WP.
To ensure that actors aren’t leveraging vulnerabilities in the local file system when they aren’t immediately eliminated, you must follow these steps:
- Keep your file paths safe in a secure database , and identify each single one.
- Use only secure and verified permitlist files, and leave out all other files.
- Do not include files on a server that may be compromised. Instead, make use of a database instead.
- Allow the server to send download headers on a regular basis instead of processing files in a particular directory.
Subscribe to our newsletter for the latest tech news, reviews, and other information. Follow us on Facebook, Instagram and Twitter.