Security News > 2022 > January > 600K WordPress sites impacted by critical plugin RCE vulnerability
Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older.
The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.
"The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax load more and ajax eael product gallery functions." explains PatchStack researchers who discovered the vulnerability.
Researcher Wai Yan Muo Thet discovered the vulnerability on January 25, 2022, and the plugin developer already knew about its existence at that time.
With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.
Don't include files on a web server that can be compromised, but use a database instead. Make the server send download headers automatically instead of executing files in a specified directory.
News URL
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems (source)