Blogging Tips

Critical vulnerability found in WordPress plugin for Elementor with over 1 million downloads


A WordPress plugin with over a million installations has been discovered to contain a critical vulnerability that could result in arbitrary code execution on compromised websites.

The plugin is Essential Addons for Elementor, which provides WordPress website owners with a library of over 80 elements and extensions to help design and customize pages and posts.

“This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack. This attack can be used to include local files in the website’s file system, such as /etc/password. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.” Patchstack said in a report.

The vulnerability only exists if widgets such as Dynamic Gallery and Product Gallery are used, which use the vulnerable feature, resulting in the inclusion of local files, an attack technique in which a web application is tricked into exposing or executing arbitrary files on the web server.

The vulnerability affects all plugin versions from 5.0.4 and earlier, and the vulnerability discovery is attributed to the researcher. Wai Yan Myo Thet. After responsible disclosure, the security hole was fixed in version 5.0.5 released on January 28 “after several insufficient patches”.

The development comes a few weeks after unidentified actors were reported to have manipulated dozens of WordPress themes and plugins hosted on a developer’s website to inject a backdoor with the aim of infecting more sites.

donations

Thank you for supporting free knowledge! You can donate the amount you want.

Bitcoin: bc1q4sw9260twfcxatj8mjp7358cyvrf8whzlelyhj

Litecoins: LbFduJmHvQXcpCnwfUT7aJ4DYoWSL3iQw8

Dogecoin: DQQyKHdtvFiB4zW87Kvp9Wna3bcyL3ukQz

BCH: qqnkqcu8sa90zuuzd2nvdrslgdv3u5ta6cy4ch0rnq

Ethereum: 0xFb93D2a3c9d1A0b83EE629c2dE1725BCa192e581

Bank transfer Mexico: CLABE: 646180192143715428 in the name of Masterhacks LATAM, Bank: STP

Related Articles

Leave a Reply

Your email address will not be published.