WordPress plugin exposes half a million sites to attack

WordPress website
(Image credit: Shutterstock/Koshiro K)
Audio player loading…

A popular WordPress (opens in new tab) plugin used by more than a million websites all over the world has been found to be carrying a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.

Cbersecurity researcher Wai Yan Muo Thet discovered the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, and reported it to Patchstack the same day. 

WPDeveloper, the owner of the plugin in question, was already aware of the vulnerability, and has already made two unsuccessful attempts to fix the issue.

Fixing the issue

"The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax_load_more and ajax_eael_product_gallery functions," PatchStack explained. 

The only thing the vulnerable site needs, is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.

Versions 5.0.3 and 5.0.4 both tried to address the problem, which was finally solved in version 5.0.5. At the moment, some 400,000 websites have upgraded the plugin, meaning roughly 600,000 are still vulnerable. 

Those running Essential Addons for Elementor have two ways to go about fixing the issue: either downloading the latest version from this link, or heading over to the WordPress dashboard and triggering the update directly from there. 

WordPress plugins have proved popular targets for hackers attacking major vulnerabilities in recent months. In November 2021, researchers found a website takeover flaw in the Preview E-mails for WooCommerce addon, while in December 2021, a vulnerability in the popular WPS Hide Login plugin could have allowed attackers access to a site's administrator login page.

The good news is that the plugins’ owners are usually quick to react, when the vulnerabilities are disclosed. Webmasters running WordPress sites (opens in new tab)are advised to keep all of their addons updated at all times, to bring the risk of an attack down to a minimum.

  •  You might also want to check out our list of the best web hosting services right now 

 Via: BleepingComputer (opens in new tab)  

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.