Over one million WordPress websites might have been impacted by a critical vulnerability in the Essential Addons for Elementor plugin.
Essential Addons for Elementor provides WordPress site admins with more than 80 elements and extensions to help them easily design WordPress pages and posts.
Affecting version 5.0.4 and earlier of the plugin, the security flaw allows any user to perform a local file inclusion attack, regardless of their authentication or authorization level. The attack then could lead to remote code execution, if the included file contains malicious PHP code.
The issue was initially discovered by Wai Yan Myo Thet and the plugin’s developers attempted to resolve it in version 5.0.3, and then again in version 5.0.4, but failed. A complete patch was released last week, when Essential Addons for Elementor version 5.0.5 was rolled out.
The security error exists because of the manner in which “user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions,” WordPress security firm Patchstack explains.
The security firm also notes that the vulnerability only exists if widgets such as dynamic gallery or product gallery are in use, as they are those that employ the vulnerable functions and because a nonce token check is visible only when these widgets are enabled.
More than one million WordPress sites use Essential Addons for Elementor, but it’s unclear how many of them have the widgets enabled. More than 400,000 websites have already updated their installations to the patched version of the plugin, but over 600,000 of them remain potentially vulnerable.