Popular WordPress plugin Essential Addons for Elementor impacts hundreds of thousands of websites with RCE (Remote Code Execution) vulnerability.
The Essential Addons for WordPress Elementor plugin, with over a million users. The plugin is affected by a critical remote code execution (RCE) vulnerability that impacts version 5.0.4 and older.
The WordPress plugin RCE works by letting an unauthenticated user initiate an inclusion attack on a local file, like, for instance, a PHP file. This is done for code execution purposes on the website.
The vulnerability was discovered by Wai Yan Myo Thet, the flaw can be exploited only if websites have the “dynamic gallery” and “product gallery” widgets enabled so that a none token check is present.
According to him, the bug exists “due to the way user input data is used inside of PHP’s include function that is part of the ajax_load_more and ajax_eael_product_gallery functions.”
Vulnerabilities on the Essential Addons for Elementor plugin made it possible for an attacker to launch a Local File Inclusion attack, which is an exploit that allows an attacker to cause a WordPress installation to reveal sensitive information and read arbitrary files.
From there the attack could lead to a more serious attack called a Remote Code Execution (RCE). Remote Code Execution is a very serious form of attack in which a hacker can run arbitrary code on a WordPress site and cause a range of damage, including a full site takeover.
The experts also provided some examples of code snippets that trigger the plugin remote code execution flaw in WordPress.
The snippets of code that cause the vulnerability looks like the following: