Security News > 2022 > January > 600K WordPress sites impacted by critical plugin RCE vulnerability
Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older.
The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.
"The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax load more and ajax eael product gallery functions." explains PatchStack researchers who discovered the vulnerability.
Researcher Wai Yan Muo Thet discovered the vulnerability on January 25, 2022, and the plugin developer already knew about its existence at that time.
With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.
Don't include files on a web server that can be compromised, but use a database instead. Make the server send download headers automatically instead of executing files in a specified directory.
News URL
Related news
- Apache issues patches for critical Struts 2 RCE bug (source)
- Critical OpenWrt Vulnerability Exposes Devices to Malicious Firmware Injection (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools (source)
- Premium WPLMS WordPress plugins address seven critical flaws (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Unpatched critical flaws impact Fancy Product Designer WordPress plugin (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)