A WordPress plugin with over a million installations has been discovered to contain a critical vulnerability that could result in arbitrary code execution on compromised websites.
The plugin is Essential Addons for Elementor, which provides WordPress website owners with a library of over 80 elements and extensions to help design and customize pages and posts.
The vulnerability only exists if widgets such as Dynamic Gallery and Product Gallery are used, which use the vulnerable feature, resulting in the inclusion of local files, an attack technique in which a web application is tricked into exposing or executing arbitrary files on the web server.
The vulnerability affects all plugin versions from 5.0.4 and earlier, and the vulnerability discovery is attributed to the researcher. Wai Yan Myo Thet. After responsible disclosure, the security hole was fixed in version 5.0.5 released on January 28 “after several insufficient patches”.
The development comes a few weeks after unidentified actors were reported to have manipulated dozens of WordPress themes and plugins hosted on a developer’s website to inject a backdoor with the aim of infecting more sites.
Thank you for supporting free knowledge! You can donate the amount you want.
Bank transfer Mexico: CLABE: 646180192143715428 in the name of Masterhacks LATAM, Bank: STP