WordPress Vulnerability in Essential Addons for Elementor
The Essential Addons for Elementor WordPress plugin, with over one million users, recently patched several vulnerabilities that could have allowed malicious attackers to execute arbitrary code on a targeted WordPress website.
LFI Attack Vulnerability to RCE
According to the US government website NIST, vulnerabilities in the Essential Addons for Elementor plugin allowed an attacker to launch a Local File Inclusion attack, which is an exploit that allows an attacker to cause a WordPress installation to reveal sensitive information and reads arbitrary information. files.
From there, the attack could lead to a more serious attack called Remote Code Execution (RCE). Remote code execution is a very serious form of attack in which a hacker is able to execute arbitrary code on a WordPress site and cause a range of damage, including a complete takeover of the site.
For example, a local file inclusion attack can be accomplished by changing the URL parameters to something that could reveal sensitive information.
This was made possible because the Essential Addons for Elementor WordPress plugin did not properly validate and cleanse the data.
Data sanitization is a process to limit the type of information that can be entered. In simple terms, data cleansing can be thought of as a lock that only allows a specific entry, a key with a specific pattern. A data sanitization failure could be analogous to a lock that allows any key to open it.
According to the United States government National Vulnerability Database:
“Essential Addons for Elementor WordPress plugin prior to 5.0.5 does not validate and sanitize certain template data before it is included in instructions, which could allow unauthenticated attackers to perform an embed attack local files and read arbitrary files on the server, this could also lead to RCE via user-uploaded files or other LFI-to-RCE techniques.
WPScan security site who were the first to discover discover and report the vulnerability published the following description:
“The plugin does not validate or sanitize certain model data before it is included in instructions, which could allow unauthenticated attackers to perform a local file inclusion attack and read arbitrary files on the server, it could also lead to RCE via user-uploaded files or other LFIs to RCE techniques.
Essential Addons for Patched Elementor
The vulnerability was announced on the National Vulnerability Database site on February 1, 2022.
But the “Lite” version of the Essential Addons for Elementor plugin has been patching vulnerabilities since late January, according to the Essential Addons Lite changelog.
A changelog is a software log of all the changes made to each updated version. It is a record of everything that has been changed.
Oddly enough, the changelog for the Pro version only mentions “Some minor bug fixes and improvements” but does not mention security fixes at all.
Screenshot of Essential Addons for Elementor Pro Changelog
Why is the security patch information missing in the Pro version of the WordPress plugin?
Changelog for Lite version of Essential Addons for Elementor Lite Plugin
The Lite version changelog covering versions 5.0.3 to 5.0.5 has been updated from January 25 to January 28, 2022 to fix the following issues:
- Fixed: Parameter cleanup in dynamic widgets
- Improved: Cleaned up template file paths for improved security
- Improved: Enhanced security to prevent inclusion of junk file form remote server via ajax request
The changelog notes that today, February 2, 2022, the following security enhancement was made for version 5.0.6:
- Improved: sanitizing, validating and escaping data for improved security
Which is the safest version of Essential Addons for Elementor plugin?
The US Government Vulnerability Database has not assigned a severity score, so it is unclear at this time how severe the vulnerability is.
However, a remote code execution vulnerability is of particular concern, so it’s probably a good idea to update to the very latest version of the Essential Addons plugin.
The WPScan website says the vulnerabilities have been fixed in Essential Addons for Elementor Plugin version 5.0.5.
However, the plugin changelog for the Lite version of the plugin indicates that version 5.0.6 fixes an additional data sanitization issue today, February 22, 2022.
It may therefore be prudent to update to at least version 5.0.6.