Essential Addons for Elementor, a popular WordPress plugin with over a million installations, contains a severe remote code execution (RCE) vulnerability in versions 5.0.4 and older. The issue allows an unauthenticated user to execute code on the site using a local file inclusion attack, such as a PHP file.
“The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.” clarifies PatchStack researchers who found the vulnerability.
The sole need for the attack is that the “dynamic gallery” and “product gallery” widgets be enabled on the site, as well as a none token check. The vulnerability was identified on January 25, 2022, by researcher Wai Yan Muo Thet, and the plugin developer was already aware of it at the time.
In actuality, the author has issued version 5.0.3 to fix the problem by using the “sanitize_text_field” method to clean up the user input data. This sanitization, however, does not prevent local payloads from being included.
Version 5.0.4 was the second effort, with the “sanitize_file_name” function attempting to remove special characters, dots, slashes, and anything else that may be used to bypass the text sanitization phase.
PatchStack tested this version and found it susceptible. Therefore, they told the developer that the update wasn’t enough to address the problem. The author eventually published 5.0.5, which included PHP’s “realpath” function, which prevented fraudulent pathname resolves.
According to WordPress’ download statistics, this version was only launched last week, on January 28, 2022, and has only been installed about 380,000 times. With the plugin deployed on more than 1 million WordPress sites, it implies over 600,000 sites have failed to receive the security update.
If you’re one of the many people who use Essential Addons for Elementor, you can get the current version here or upgrade immediately from your WordPress dashboard.
