According to experts, a security weakness in a popular plugin vulnerability allowed hostile actors to infect over a million WordPress websites.
The plugin vulnerability was identified on October 4 and patched three days later on October 7 – with all users (especially those using versions 2.7.0 and older) now urged to update to at least version 2.7.5.
Essential Addons for Elementor, a popular WordPress plugin used on over a million sites, was discovered to contain a significant remote code execution (RCE) plugin vulnerability in version 5.0.4 and earlier.
The plugin vulnerability allows an unauthenticated user to execute code on the site through a local file inclusion attack, such as a PHP file.
Two Patching Attempts Failed
On January 25, 2022, researcher Wai Yan Muo Thet identified the plugin vulnerability, and the plugin creator was already aware of its presence at the time.
In reality, the author issued version 5.0.3 to fix this issue by applying a “sanitise text field” function to user input data. This sanitisation, however, does not restrict the introduction of local payloads.
Version 5.0.4, which included the “sanitise file name” function and attempted to remove special characters, dots, slashes, and anything else that may be used to override the text sanitisation phase, was the second effort.
Patchstack tested this version and discovered it to be susceptible thus they notified the developer that the update had not effectively reduced the issue.
The author eventually published version 5.0.5, which included PHP’s “realpath” function, which prevented fraudulent pathname resolves.
Updation and Mitigation
According to WordPress’ download statistics, this version was launched last week, on January 28, 2022, and has only been installed roughly 380,000 times as of this writing.
With the plugin deployed on over 1 million WordPress sites, this means that over 600,000 sites have failed to receive the security update.
Unprotected API Endpoints
The issue is caused by the plugin’s registration of two REST-API routes that are used to obtain and change email template settings.
Because these API endpoints are insufficiently safeguarded against unauthorised access, even unauthenticated users can call and execute the functions.
This might possibly allow for the creation of new admin accounts, the redirection of site visitors to phishing sites, the injection of backdoors into theme files, and even total site takeover.
Disclosure and Potential Fixes
Wordfence detected and reported the plugin vulnerability to the plugin’s creator on December 23, 2021, but they did not receive a response until January 10, 2022. The security update that fixed the issue was released on January 13, 2022, as of version 3.1.
Site Takeover Can Be a Possibility
The elementor batch process function associated with this action did complete a nonce check, according to the researchers, but this was a weak gateway since the requisite ajax nonce was also available to contributors in the WordPress dashboard’s page source.
According to Wordfence, the issue may be used to redirect visitors to a malicious website, hijack an admin session to create new admins, or introduce a backdoor to the site, which might lead to a total site takeover.
Because the latter is a high-level danger, Wordfence advises all affected users to spread the news and increase awareness of the plugin vulnerability.
Wrapping It Up
If you are one of the many people that utilise Essential Addons for Elementor, you can get the current version from here or update immediately from the WP dashboard.
Follow these actions to prevent actors from exploiting local file inclusion problems even when they cannot be directly mitigated:
- Save your file paths in a safe database and assign an ID to each one.
- Ignore anything else and only use validated and secured allowlist files.
- Instead of putting files on a web server that may be hacked, employ a database.
- Instead of executing files in a specific directory, instruct the server to transmit download headers automatically.