WordPress plugin exposes half a million sites to attack

By Scott Marlette Last updated Feb 2, 2022

A popular WordPress plugin used by more than a million websites all over the world has been found to be carrying a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.

Cbersecurity researcher Wai Yan Muo Thet discovered the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, and reported it to Patchstack the same day.

WPDeveloper, the owner of the plugin in question, was already aware of the vulnerability, and has already made two unsuccessful attempts to fix the issue.

Fixing the issue

“The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions,” PatchStack explained.

The only thing the vulnerable site needs, is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.

Versions 5.0.3 and 5.0.4 both tried to address the problem, which was finally solved in version 5.0.5. At the moment, some 400,000 websites have upgraded the plugin, meaning roughly 600,000 are still vulnerable.

Those running Essential Addons for Elementor have two ways to go about fixing the issue: either downloading the latest version from this link, or heading over to the WordPress dashboard and triggering the update directly from there.

WordPress plugins have proved popular targets for hackers attacking major vulnerabilities in recent months. In November 2021, researchers found a website takeover flaw in the Preview E-mails for WooCommerce addon, while in December 2021, a vulnerability in the popular WPS Hide Login plugin could have allowed attackers access to a site’s administrator login page.

The good news is that the plugins’ owners are usually quick to react, when the vulnerabilities are disclosed. Webmasters running WordPress sites are advised to keep all of their addons updated at all times, to bring the risk of an attack down to a minimum.

Via: BleepingComputer

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.