The popular WordPress plugin Essential Addons for Elementor, which is installed on over a million WordPress sites, was found to have a critical remote code execution (RCE) vulnerability.
The vulnerability is a local file inclusion (LFI) attack that would allow an unauthenticated attacker to read sensitive files on the system or execute malicious PHP code. The vulnerability exists due to the way user input data is used by a PHP include statement inside the ajax_load_more and ajax_eael_product_gallery functions. For the vulnerability to work, widgets such as “dynamic gallery” or “product gallery” must be enabled in the plugin for the vulnerable functions to be accessible. Without these widgets enabled, the vulnerable code will not be visible, and no user input will be passed to them.
Version 5.0.5 of the plugin has been released and fixes this vulnerability. As of this writing, this version of the plugin has been installed on approximately 380,000 sites, leaving over 600,000 sites still potentially vulnerable to attack.
Analyst Notes
It is recommended for any WordPress sites currently using this plugin to install the updated version as soon as possible. WordPress is one of the most heavily attacked and compromised applications on the Internet, so it will not be long for this vulnerability to be abused by threat actors to take control of impacted systems. It is also recommended to enable automatic background updates for all aspects of WordPress, including plugins and themes. This will help make sure that when any critical vulnerabilities are released, the patches for the vulnerability are applied immediately as soon as they are available. Any plugins or themes not actively used on the WordPress site should also be disabled or removed to reduce any additional attack surface against the application.
https://www.bleepingcomputer.com/news/security/600k-wordpress-sites-impacted-by-critical-plugin-rce-vulnerability/
https://patchstack.com/articles/critical-vulnerability-fixed-in-essential-addons-for-elementor-plugin/
