This Popular WordPress Plugin Exposed 600K Sites To Remote Hacks, Patch ASAP
Researchers say you should upgrade a popular WordPress plugin sooner than later, or else you could end up losing access to your website, and potentially your web server!
If you exist on the internet, you likely know of or have seen at least one WordPress site. The content-management software is likely the most popular of its kind on the planet, running 37% of all websites in 2021 according to Envisage Digital. Unfortunately for more than 600,000 users of a popular plugin, there is a vulnerability that could allow a hacker to take remote control of their websites!
At more than one million active installations it was discovered that Essential Addons for Elementor (versions 5.0.4 and below), which has a slew of useful template modifications and improvements, has a severe vulnerability. Originally discovered by researcher Wai Yan Myo, the vulnerability allows any user, regardless of authentication or authorization status, to perform a local file inclusion attack. This attack could enable the attacker to overwrite files on the file system of the web server. So for example on a Linux server, they could theoretically overwrite the ‘/etc/passwd’ file, which contains user accounts and their associated permissions.
The nasty little vulnerability is perpetrated through a combination of ajax and PHP’s ‘include’ functions that actually accept user input either through a URL or POST payload. These are methods in which websites may communicate with themselves or each other. There was, unfortunately, no proper sanitation of this input when combined with the plugin in question. As such the plugin would accept the input, allowing it to run on the server, and ultimately, if the right code was included to do so, grant access to anything on the server.
The security tool website patchstack has significantly more detail on how the attack works here. The developers of Essential Addons for Elementor have issued a patch (version 5.0.5) and it is available for download either via the WordPress plugin manager interface, or via this download page.