WordPress plugin exposes half a million sites to attack
A popular WordPress plugin used by more than a million websites all over the world has been found to be carrying a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.
Cbersecurity researcher Wai Yan Muo Thet discovered the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, and reported it to Patchstack the same day.
WPDeveloper, the owner of the plugin in question, was already aware of the vulnerability, and has already made two unsuccessful attempts to fix the issue.
Fixing the Issue
“The native file inclusion vulnerability exists because of the manner person enter knowledge is used within PHP’s embrace operate which might be a part of the ajax_load_more and ajax_eael_product_gallery features,” PatchStack defined.
The one factor the susceptible web site wants, is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.
Variations 5.0.3 and 5.0.4 each tried to deal with the issue, which was lastly solved in model 5.0.5. For the time being, some 400,000 web sites have upgraded the plugin, which means roughly 600,000 are nonetheless susceptible.
These working Important Addons for Elementor have two methods to go about fixing the difficulty: both downloading the most recent model from this hyperlink, or heading over to the WordPress dashboard and triggering the replace straight from there.
WordPress plugins have proved in style targets for hackers attacking main vulnerabilities in current months. In November 2021, researchers discovered a web site takeover flaw within the Preview E-mails for WooCommerce addon, whereas in December 2021, a vulnerability within the in style WPS Disguise Login plugin might have allowed attackers entry to a web site’s administrator login web page.
The excellent news is that the plugins’ house owners are often fast to react, when the vulnerabilities are disclosed. Site owners working WordPress sites are suggested to maintain all of their addons up to date always, to convey the chance of an assault right down to a minimal.