Plugin RCE vulnerability affects 600K WordPress Sites

Plugin RCE vulnerability affects 600K WordPress Sites

Wordpress vulnerability

A critical RCE vulnerability that affects 600k WordPress sites has been discovered in Essential Addons for Elementor, a popular WordPress plugin used in over a million websites.

It affects versions 5.0.4 and earlier.
An unauthenticated user can exploit the vulnerability through a local file inclusion attack, such as a PHP file, to execute code on the site.

“The local file inclusion vulnerability has to do with the use of user input data in PHP’s include function, which is part of the ajax_load_more and ajax_eael_product_gallery functions,” explain PatchStack researchers who found the vulnerability.

This attack requires that the site has the “dynamic gallery” and “product gallery” widgets enabled so that a none token check is performed.

Patch Stack

Example of code causing the error
Source: Patch Stack

Two patching attempts failed

The vulnerability was discovered by researcher Wai Yan Muo Thet on January 25, 2022, and the plugin developer already knew about it at the time.

As a result, the author released version 5.0.3 to address this issue by applying a “sanitize_text_field” function on user input data. However, this sanitization does not prevent local payloads from being included.

Second, version 5.0.4 added the “sanitize_file_name” function, attempting to remove special characters, dots, slashes, and anything else that could override the text sanitization step.


Function to sanitize text field Patchstack

Function to clean up a text field
Source: Patch Stack

According to Patchstack, this was the version that was tested and found to be vulnerable, so the developer was informed that the fix was insufficient.

In version 5.0.5, the author implemented PHP’s “realpath” function, which prevents malicious pathname resolutions.

Limit and update

According to WordPress download statistics, this version was released last week, on January 28, 2022, and has only been downloaded 380,000 times up to this point.

More than 600,000 WordPress sites do not yet have the security update installed since the plugin is installed on over 1 million sites.

The Essential Addons for Elementor can be downloaded here or installed directly from the WordPress dashboard if you are one of the many people using it.

You can prevent actors from exploiting local file inclusion errors by following these steps, even if they can’t be fixed immediately:
Store your file paths in a secure database and assign each a unique ID. On the admissions list, only use verified and secured files.

Don’t put files on a web server that can be hacked, use a database instead.

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?