A popular WordPress plugin, Essential Addons for Elementor used by over a million websites all over the world is carrying a critical remote code execution (RCE) flaw that permits potential malicious actors to conduct a local file inclusion attack. Cybersecurity researcher Wai Yan Muo Thet found the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, which can cause malicious cyber attacks.
The Owner of the WordPress Plugin is Trying to Patch Up the Vulnerability
WPDeveloper, the owner of the WordPress Plugin in question, was already aware of the vulnerability and has already made two unsuccessful attempts to fix the problem. “The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that is part of the ajax_load_more and ajax_eael_product_gallery functions,” PatchStack explained. The only thing the vulnerable site needs, is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.
Furthermore, both versions 5.0.3 and 5.0.4 of the said WordPress Plugin tried to manage the problem, which was eventually solved in version 5.0.5. At the moment, some 400,000 websites have upgraded the WordPress Plugin, meaning around 600,000 are still vulnerable. Those running Essential Addons for Elementor have two ways to go about resolving the problem: either downloading the latest version or heading over to the WordPress dashboard and initiating the update directly from there to avoid malicious cyber attacks.
Vulnerabilities in Plugins Have Caused Some Very Malicious Cyber Attacks
WordPress plugins have established popular targets for hackers causing malicious cyber attacks, and attacking major vulnerabilities in recent months. In November 2021, researchers discovered a website takeover flaw in the Preview E-mails for WooCommerce addon, while in December 2021, a vulnerability in the popular WPS Hide Login plugin could have enabled attackers to access a site’s administrator login page.
The good news is that the plugins’ owners are usually quick to react when vulnerabilities are revealed to prevent malicious cyber attacks. Webmasters running WordPress sites are recommended to keep all of their addons updated at all times, to bring the chance of an attack down to a minimum.
Source: Pro Pakistani