Essential Addons for Elementor is a popular WordPress plugin used in over a million sites that provides easy-to-use and creative elements to improve the appearance of the pages.
The plugin is affected by a critical remote code execution (RCE) vulnerability that impacts version 5.0.4 and older.
An unauthenticated user can exploit the vulnerability to perform a local file inclusion attack, such as a PHP file, to remotely gain code execution on sites running a vulnerable version of the plugin.
“This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.” reads the analysis published by PatchStack. “The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.”
The vulnerability was discovered by Wai Yan Myo Thet, the flaw can be exploited only if websites have the “dynamic gallery” and “product gallery” widgets enabled so that a none token check is present.
Initially, the development team attempted to fix the flaw by implementing a “sanitize_text_field” function on the user input data. However, experts discovered that it was still possible the inclusion of local payloads, then a second patch was applied to version 5.0.4. The new patch invokes the WordPress sanitize file_name function. The function removes special characters that are not admitted in filenames, such as dots and slashes, in order to prevent local file inclusion attacks. Unfortunately, this version was still vulnerable and requested an additional review.
“The third patch was applied to version 5.0.5 of the plugin which can be seen below. This adds more security by making use of PHP’s realpath function. This function returns the canonicalized absolute pathname by expanding all symbolic links and resolves references to ., ../, etc. in the input path.” continues the analysis.
Version 5.0.5 was released on January 28, 2022, and at the time of this writing, it was installed only on 380,000 WordPress websites, this means that more than 600K sites are still using a potentially vulnerable version.
Below is the timeline for this vulnerability:
(SecurityAffairs – hacking, WordPress)