Security Flaw in WordPress Exposes Millions of Websites to Hackers

A potentially harmful vulnerability has been found in a popular WordPress plugin used by more than a million websites globally.

The Essential Addons for Elementor plugin was found to be carrying a critical Remote Code Execution (RCE) flaw that allows potentially malicious attackers to perform a local file inclusion attack.

How The Attack Works

An RCE attack allows attackers to remotely execute malicious code on a computer. RCE attacks can range from malware execution to an attacker taking full control of a compromised machine.

The vulnerability was discovered by Cybersecurity researcher Wai Yan Muo Thet in the plugin on January 25th, 2022, and was reported to PatchStack. Later, PatchStack customers also received a virtual update the very same day.

Patchstack is a WordPress security firm that aims to protect websites from plugin vulnerabilities.

Before the attack, the owner of the plugin WPDeveloper, was already aware of the vulnerability and had made two unsuccessful attempts to mitigate the issue.

PatchStack published a summary of the vulnerability, explaining:

This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack. This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.

PatchStack also added that the vulnerability only exists if the dynamic gallery and product gallery widgets are used, since both employ the vulnerable functions.

Previously, versions 5.0.3 and 5.0.4 of the plugin attempted to resolve the issue but failed. A complete patch was released last week, with the roll-out of version 5.0.5.

More than a million WordPress websites use Essential Addons for Elementor. However, it is unclear how many of them have the widgets enabled. While more than 400,000 websites have already updated their installations to the patched versions of the plugin, 600,000 of these websites still remain potentially vulnerable.



Get Alerts

Follow ProPakistani to get latest news and updates.


ProPakistani Community

Join the groups below to get latest news and updates.



>