Essential Addons for Elementor, a popular WordPress plugin with over a million installations, discovered to have a critical remote code execution RCE vulnerability in versions 5.0.4 and older.
A local file inclusion attack, such as a PHP file, allows an unauthenticated user to execute code on the site.
“The local file inclusion vulnerability exists due to the way user input data used inside of PHP’s include function that are part of the ajax_load_more. And ajax_eael_product_gallery functions.” explains PatchStack researchers who discovered the vulnerability.
The sole requirement for the attack is that the “dynamic gallery”. And “product gallery” widgets enabled on the site, as well as a none token check.
Two patching attempts were unsuccessful
The RCE vulnerability discovered on January 25, 2022, by researcher Wai Yan Muo Thet. And the plugin developer was already aware of it at the time.
In fact, the author had released version 5.0.3 to address this issue by applying a “sanitize_text_field” function on the user input data. This sanitization does not prevent local payloads from being included.
Version 5.0.4 was the second attempt, with the “sanitize file name” function attempting to remove special characters, dots, slashes. And anything else that used to bypass the text sanitization step.
Patchstack tested this version and found it vulnerable. So they informed the developer that the fix wasn’t enough to mitigate the problem.
The author eventually released 5.0.5, which included PHP’s “realpath” function, which prevented malicious pathname resolutions.
Update and alleviate the situation
According to WordPress’ download statistics, this version was only launched last week, on January 28, 2022, and has only been installed about 380,000 times.
With the plugin deployed on over one million WordPress sites. It implies over 600,000 sites have failed to receive the security update.
If you’re one of the many people who uses Essential Addons for Elementor, you can download the latest version here or upgrade immediately from your WordPress dashboard.
Follow these steps to prevent actors from exploiting local file inclusion flaws, even if they can’t be directly mitigated:
- Save your file paths in a secure database and assign each one a unique ID.
- Ignore anything else and use only certified and secured allowlist files.
- Don’t include files on a web server that compromised, but use a database instead.
- Instead of executing files in a specified directory, have the server send download headers automatically.
You may also like:
Leave A Comment