WordPress plugin problem patched

Developers have fixed a critical vulnerability in Essential Addons for Elementor, a popular WordPress plugin with more than one million active installations.

The security flaw, discovered by Wai Yan Myo Thet, creates a mechanism for any user to perform a local file inclusion (LFI) attack.

Worse yet, the vulnerability is capable of being leveraged to achieve remote code execution (RCE) by including a file with malicious PHP code that normally cannot be executed.

Botched fixes

Wai Yan Myo Thet was able to report the flaw to developers of the plugin with the help of WPScan.

After two botched or at least incomplete fixes, the underlying vulnerability was comprehensively resolved in version 5.0.5 of Essential Addons for Elementor.

Essential Addons for Elementor is billed as technology that can “enhance your Elementor page building experience with 80+ creative elements and extensions.”


Catch up on the latest WorPress-related security news and analysis


As explained in a technical write-up of the vulnerability by WordPress security specialist Patchstack, the LFI vulnerability stems from how input data is used by the ajax_load_more and ajax_eael_product_gallery functions.

The vulnerability only exists if widgets (dynamic gallery, product gallery) are used which utilize these functions, according to Patchstack, which adds that use of widgets exposes a cryptographic nonce token.

Patchstack was instrumental in warning the developers that their two initial attempts to resolve the vulnerability were incomplete.

Embedded widgets

Dave Jong, CTO of Patchstack, told The Daily Swig that prior to its resolution the vulnerability was capable of being exploited by even unauthenticated users.

“The core issue, local file inclusion, is indeed something that can be exploited by unauthenticated users,” Jong explained. “The only requirement is that these widgets have been embedded into a page because a nonce token is sent (to prevent CSRF) and verified in these vulnerable functions. Without the nonce token, you cannot reach the vulnerable piece of code.”

In several scenarios an attacker would be able to harness this vulnerability to achieve RCE without having to log in or even create an account on a targeted system.

“If, for example, the site stores and keeps log files on the server, and you can inject PHP code into these log files and then include this log file using the LFI vulnerability, the PHP code inside of the log file will be executed,” according to Jong.

He continued: “Another example: perhaps a form where users can upload their resume could be exploited the same way. I can create a legitimate PDF file but inject PHP inside of it somewhere. Then if I know the location of where the PDF file is uploaded, I can include this PDF file and the PHP code would be executed.”


YOU MAY ALSO LIKE Critical Samba flaw presents code execution risk