The WordPress plugin exposes half a million sites to attack
December 8, 2023 2023-12-08 4:44The WordPress plugin exposes half a million sites to attack
A popular WordPress plugin used by more than a million websites all over the world is carrying a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.
Cybersecurity researcher Wai Yan Muo Thet discovered the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, and reported it to Patchstack the same day.
WPDeveloper, the owner of the plugin in question, was already aware of the vulnerability and has already made two unsuccessful attempts to fix the issue.
Fixing the Issue
“The native file inclusion vulnerability exists because of the manner person enter knowledge is used within PHP’s embrace operate which might be a part of the ajax_load_more and ajax_eael_product_gallery features,” PatchStack defined.
The one factor the susceptible website wants is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.
Variations 5.0.3 and 5.0.4 each tried to deal with the issue, which was lastly solved in model 5.0.5. For the time being, some 400,000 websites have upgraded the plugin, which means roughly 600,000 are nonetheless susceptible.
These working Important Addons for Elementor have two methods to go about fixing the difficulty: downloading the most recent model from this hyperlink, or heading over to the WordPress dashboard and triggering the replacement straight from there.
WordPress plugins have proved to style targets for hackers attacking main vulnerabilities in current months. In November 2021, researchers discovered a website takeover flaw within the Preview E-mails for WooCommerce addon, whereas in December 2021, a vulnerability within the in-style WPS Disguise Login plugin might have allowed attackers entry to a website’s administrator login web page.
The excellent news is that the plugins’ house owners are often fast to react when the vulnerabilities are disclosed. Site owners working WordPress sites are suggested to maintain all of their addons up to date always, to keep the chance of an assault right down to a minimal.