A potentially dangerous vulnerability has been discovered in a major WordPress plugin that is used by over a million websites around the world.
A major Remote Code Execution (RCE) bug was discovered in the Essential Addons for Elementor plugin, allowing potentially malicious attackers to launch a local file inclusion attack.
How Attack Works
An RCE attack lets an attacker to run malicious code on a computer from a distance. RCE attacks can range from the execution of malware to the complete control of a compromised machine.
On January 25th, 2022, Cybersecurity researcher Wai Yan Muo Thet uncovered a vulnerability in the plugin and reported it to PatchStack. PatchStack clients received a virtual upgrade the next day as well.
Patchstack is a WordPress security company that tries to keep websites safe against plugin flaws.
The owner of the plugin WPDeveloper was aware of the vulnerability prior to the attack and had made two unsuccessful attempts to address the problem.
PatchStack released a summary of the flaw, stating that, “This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack. This attack can be used to include local files on the filesystem of the website, such as /etc/password.
This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.”
The vulnerability only exists if the dynamic gallery and product gallery widgets are used, according to PatchStack, because both use the vulnerable functions.
Previously, versions 5.0.3 and 5.0.4 of the plugin tried but failed to fix the problem. With the release of version 5.0.5 last week, a full patch was made available.
Essential Add-ons for Elementor is used by over a million WordPress websites. However, how many of them have the widgets activated is unknown.
Despite the fact that over 400,000 websites have already upgraded to the patched versions of the plugin, 600,000 websites are still possibly vulnerable.
To read our blog on “PUBG Mobile Introduces Anti-Cheat System to Ban Hackers,” click here
.
