A Million+ WordPress Elementor Plugins Have a Critical Bug

A Million+ WordPress Elementor Plugins Have a Critical Bug

Short News:- A Million+ WordPress Elementor Plugins Have a Critical Bug

A critical vulnerability in a popular WordPress plugin has been discovered. The plugin, Essential Addons for Elementor, has more than one million installations. Vulnerability affects all versions of the plugin starting with 5.0.4 and lower and can be exploited via local file inclusion attack.

Detailed News:- A Million+ WordPress Elementor Plugins Have a Critical Bug

A critical vulnerability in a WordPress plugin with more than one million installations has been discovered, and it could allow arbitrary code to be executed on compromised websites.

Specifically, the plugin in question is Essential Addons for Elementor, which provides WordPress site owners with a library of over 80 elements and extensions to assist them in designing and customizing pages and posts on their sites.

Patchstack stated in a report that "this vulnerability allows any user, regardless of their authentication or authorization status, to conduct a local file inclusion attack." "This attack can be used to include local files on the website's filesystem, such as /etc/passwd, in the website's filesystem. This can also be used to perform RCE by including a file containing malicious PHP code that would otherwise not be able to be executed by the system."

As a result, widgets such as dynamic gallery and product gallery that make use of the vulnerable function will result in local file inclusion – a technique for tricking a web application into making arbitrary files available for viewing or running on the webserver – and will not be affected otherwise.

The flaw affects all versions of the addon starting with 5.0.4 and lower, and researcher Wai Yan Myo Thet is credited with discovering the vulnerability. Following a responsible disclosure, the security hole was finally closed in version 5.0.5, which was released on January 28 "after several insufficient patches" and fixed the vulnerability.

Following the discovery that unidentified actors had tampered with hundreds of WordPress themes and plugins hosted on a developer's website in order to inject a backdoor with the goal of infecting additional sites, this development comes as no surprise.