Security News > 2022 > January > 600K WordPress sites impacted by critical plugin RCE vulnerability
Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older.
The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.
"The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax load more and ajax eael product gallery functions." explains PatchStack researchers who discovered the vulnerability.
Researcher Wai Yan Muo Thet discovered the vulnerability on January 25, 2022, and the plugin developer already knew about its existence at that time.
With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.
Don't include files on a web server that can be compromised, but use a database instead. Make the server send download headers automatically instead of executing files in a specified directory.
News URL
Related news
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- Critical zero-days impact premium WordPress real estate plugins (source)
- Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw (source)
- Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) (source)
- Lightning AI Studio Vulnerability Could've Allowed RCE via Hidden URL Parameter (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) (source)
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)