600,000 WordPress sites affected by critical RCE plugin vulnerability

Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has a critical Remote Code Execution (RCE) vulnerability in version 5.0.4 and earlier.

The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.

“The local file include vulnerability exists due to the way user input data is used in PHP’s include function which is part of the ajax_load_more and ajax_eael_product_gallery functions.” explains the PatchStack researchers who discovered the vulnerability.

The only prerequisite for the attack is that the site has the “live gallery” and “product gallery” widgets enabled so that tokenless verification is present.

Sample code that triggers the flaw
Sample code that triggers the flaw
Source: Patch Stack

Two failed patch attempts

Researcher Wai Yan Muo Thet discovered the vulnerability on January 25, 2022, and the plugin developer already knew of its existence at that time.

In fact, the author had released version 5.0.3 to solve this problem by applying a “sanitize_text_field” function on the user input data. However, this disinfection does not prevent the inclusion of local payloads.

The second attempt was version 5.0.4, which added the “sanitize_file_name” function and attempted to remove special characters, periods, slashes, and anything else that could be used to replace the text sanitization step.

Function to clean the text field
Function to clean the text field
Source: Patch Stack

This was the version that Patchstack tested and found vulnerable, so they informed the developer that the patch did not mitigate the problem enough.

Eventually, the author released version 5.0.5 which implemented PHP’s “realpath” function, preventing malicious path name resolutions.

Update and mitigate

This version was released last week, January 28, 2022, and to date has only been installed around 380,000 times according to WordPress’ download statistics.

With the plugin installed in over a million WordPress sites, this means that more than 600,000 sites have not yet applied the security update.

If you are among the many users of Essential Addons for Elementor, you can get the latest version from here or apply the update directly from the WP dashboard.

To prevent actors from exploiting local file inclusion flaws even when they cannot be directly mitigated, follow these steps:

  • Save your file paths in a secure database and assign an identifier to each one.
  • Use verified and secure allowlist files and ignore everything else.
  • Do not include potentially compromised files on a web server, but use a database instead.
  • Have the server automatically send download headers instead of executing files in a specified directory.

Comments are closed.