WordPress

WordPress Vulnerability in Essential Addons for Elementor Plugin

Photo of SEO SEO Send an email September 30, 2024
0 3 3 minutes read

The Essential Addons for Elementor WordPress plugin, used by over a million users, recently patched multiple vulnerabilities that could have allowed malicious attackers to run arbitrary code on targeted WordPress websites.

LFI to RCE Attack Vulnerability

According to the U.S. Government NIST website, vulnerabilities within the Essential Addons for Elementor plugin enabled attackers to launch a Local File Inclusion (LFI) attack. This exploit allows attackers to cause a WordPress installation to reveal sensitive information and read arbitrary files. From there, the attack could escalate to a more serious Remote Code Execution (RCE). RCE is a severe form of attack where a hacker can run arbitrary code on a WordPress site, potentially leading to a full site takeover.

An LFI attack can be accomplished by changing URL parameters to reveal sensitive information. This vulnerability existed because the Essential Addons for Elementor plugin did not properly validate and sanitize data. Data sanitization is the process of limiting the kinds of information that can be inputted, ensuring only specific patterns are allowed. A failure in data sanitization could be compared to a lock that accepts any key.

According to the United States Government National Vulnerability Database:

"The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitize some template data before including them in include statements. This could allow unauthenticated attackers to perform a Local File Inclusion attack and read arbitrary files on the server. This could also lead to RCE via user-uploaded files or other LFI to RCE techniques."

Security site WPScan, which first discovered and reported the vulnerability, published the following description:

"The plugin does not validate and sanitize some template data before including them in include statements, which could allow unauthenticated attackers to perform a Local File Inclusion attack and read arbitrary files on the server. This could also lead to RCE via user-uploaded files or other LFI to RCE techniques."

Essential Addons for Elementor Patched

The vulnerability was announced on the National Vulnerability Database site on February 1, 2022. The "Lite" version of the Essential Addons for Elementor plugin has been patching vulnerabilities since the end of January, according to the Essential Addons Lite changelog.

A changelog is a log file of all the changes made for each version of a software program. It serves as a record for what was changed and provides transparency to users, who can review it prior to updating and decide whether the update is significant or if they should test the plugin on a staging site.

Curiously, the changelog for the Pro version only mentions "Few minor bug fixes and improvements" but does not reference the security fixes.

Screenshot of Essential Addons For Elementor Pro Changelog
Changelog for Essential Addons for Elementor Plugin

Why is the security fix information missing from the Pro version of the WordPress plugin?

Changelog for the Lite Version of Essential Addons for Elementor Lite Plugin

The changelog for the Lite version covering versions 5.0.3 to 5.0.5, updated from January 25 – 28, 2022, addressed the following issues:

  • Fixed: Parameter sanitization in dynamic widgets
  • Improved: Sanitized template file paths for security enhancement
  • Improved: Enhanced security to prevent the inclusion of unwanted files from remote servers through AJAX requests

On February 2, 2022, the following security enhancement was performed for version 5.0.6:

  • Improved: Data sanitization, validation & escaping for security enhancement

What is the Safest Version of Essential Addons for Elementor Plugin?

The U.S. Government Vulnerability Database has not assigned a severity score, leaving the extent of the vulnerability unclear. However, due to the seriousness of remote code execution vulnerabilities, it is advisable to update to the latest version of the Essential Addons plugin.

The WPScan website states that the vulnerabilities were fixed in Essential Addons for Elementor Plugin version 5.0.5. However, the lite version’s changelog indicates that version 5.0.6 addressed an additional data sanitization issue on February 2, 2022. Thus, it may be prudent to update to at least version 5.0.6.

Citations

WPScan Vulnerability Report

  • Essential Addons for Elementor < 5.0.5 – Unauthenticated LFI

United States Government Report on the Vulnerability

  • CVE-2022-0320 Detail

Essential Addons for Elementor Plugin Lite Changelog

  • Essential Addons for Elementor Lite Plugin Changelog

Changelog for Essential Addons for Elementor Pro

  • Essential Addons for Elementor Pro Changelog
Photo of SEO SEO Send an email September 30, 2024
0 3 3 minutes read
Photo of SEO

SEO

Related Articles

Matt Mullenweg Accuses WP Engine of Trying to Curtail His Free Speech Amid Dispute

October 21, 2024

WordPress Announces New Executive Director

October 9, 2024

Executive Director of WordPress Steps Down

October 5, 2024

8% of Automattic’s Employees Choose to Resign

October 5, 2024
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button