A WordPress plugin that has had over one million installations was found to have a critical flaw. This vulnerability could allow for the execution of arbitrary codes on compromised websites.
The plugin is Essential addons for Elementor ,, which gives WordPress users access to a collection of over 80 extensions and elements that can be used to customize and design pages and posts.
“This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack,” Patchstack said in a report. “This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed. “
That said, the vulnerability only exists if widgets like dynamic gallery and product gallery are used, which utilize the vulnerable function, resulting in local file inclusion – an attack technique in which a web application is tricked into exposing or running arbitrary files on the webserver.
The flaw impacts all versions of the addon from 5.0. 4 and below, and credited with discovering the vulnerability is researcher Wai Yan Myo Thet. Following responsible disclosure, the security hole was finally plugged in version 5.0. 5 released on January 28 “after several insufficient patches. “
This development follows weeks of revelations that unknown actors had manipulated dozens WordPress plugins and themes hosted on a website of a developer to create a backdoor for further infection.