WordPress admins urged to patch critical security bug
600,000 site owners are yet to update the Essential Addons for Elementor plugin
The developer of 'Essential Addons for Elementor' WordPress plugin has patched a critical remote code execution (RCE) bug in version 5.0.4 and older which could allow a malicious actor to execute a local file inclusion attack and run arbitrary code on the site.
Essential Addons for Elementor is a widely used plugin that provides more than 80 elements and extensions to help WordPress admins in designing pages and posts for their sites. The plugin has more than a million active installs, according to Bleeping Computer.
In a blog post detailing the vulnerability, the researchers from WordPress security firm Patchstack said that the flaw was discovered by researcher Wai Yan Muo Thet on 25 January 2022, and that the developer already knew about the existence of the bug at that time.
According to PatchStack researchers, this vulnerability allows any user to launch a local file inclusion attack, regardless of their authentication or authorisation status.
"This attack can be used to include local files on the filesystem of the website, such as /etc/passwd."
This may also be used to achieve RCE by adding a file containing malicious PHP code that would otherwise be impossible to run.
According to the researchers, the bug exists "due to the way user input data is used inside of PHP's include function that are part of the ajax_load_more and ajax_eael_product_gallery functions."
It is important to note that the security weakness only affects users who have the dynamic gallery and product gallery widgets enabled as they are those that use the vulnerable functions and because a nonce token check is visible only when these widgets are turned on.
The plugin author attempted to resolve the flaw in version 5.0.3 by applying a "sanitize_text_field" function on the user input data, but it failed to plug the security hole.
In the next attempt, the developer released version 5.0.4, which added the "sanitize_file_name" function and attempted to remove slashes, special characters, dots, and anything that a malicious actor could use for overriding the text sanitisation step.
This version, however, failed to restrict the use of local payloads.
Last week, the developer rolled out version 5.0.5, which effectively patched the weakness by implementing PHP's "realpath" function.
According to WordPress' download statistics, approximately 380,000 users have installed the latest version, meaning that nearly 600,000 WordPress sites are still vulnerable to attacks from malicious actors.
The findings come days after WordPress security firm Wordfence disclosed details of a now-patched cross-site scripting (XSS) bug that impacted a plugin called "WordPress Email Template Designer - WP HTML Mail" that is installed on over 20,000 websites.
The vulnerability, indexed as CVE-2022-0218, scored 8.3 on the CVSS rating system and was patched as part of updates released on 13 January 2022. (version 3.1).
Last month, Wordfence said that it had detected a massive wave of attacks that was originating from over 16,000 different IP addresses and targeting more than 1.6 million WordPress sites.
The Wordfence Threat Intelligence team noticed a huge surge in attacks in December, which exploited security bugs in four WordPress plugins and 15 Epsilon Framework themes - enabling threat actors to update arbitrary options on vulnerable websites.
In 2019, cybercriminals attacked Mailgun's website by exploiting an unpatched cross-site scripting bug in a WordPress plugin named 'Yuzo Related Posts'.
Using the vulnerability, hackers were able to inject malicious code into sites, which redirected incoming visitors to a malicious website.