The popular WordPress plugin Essential Addons for Elementor, which is installed on over a million WordPress sites, was found to have a critical remote code execution (RCE) vulnerability.
The vulnerability is a local file inclusion (LFI) attack that would allow an unauthenticated attacker to read sensitive files on the system or execute malicious PHP code. The vulnerability exists due to the way user input data is used by a PHP include statement inside the ajax_load_more and ajax_eael_product_gallery functions. For the vulnerability to work, widgets such as “dynamic gallery” or “product gallery” must be enabled in the plugin for the vulnerable functions to be accessible. Without these widgets enabled, the vulnerable code will not be visible, and no user input will be passed to them.
Version 5.0.5 of the plugin has been released and fixes this vulnerability. As of this writing, this version of the plugin has been installed on approximately 380,000 sites, leaving over 600,000 sites still potentially vulnerable to attack.