Security News > 2022 > January > 600K WordPress sites impacted by critical plugin RCE vulnerability
Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older.
The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.
"The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax load more and ajax eael product gallery functions." explains PatchStack researchers who discovered the vulnerability.
Researcher Wai Yan Muo Thet discovered the vulnerability on January 25, 2022, and the plugin developer already knew about its existence at that time.
With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.
Don't include files on a web server that can be compromised, but use a database instead. Make the server send download headers automatically instead of executing files in a specified directory.
News URL
Related news
- WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk (source)
- Fortinet warns of critical RCE bug in endpoint management software (source)
- Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) (source)
- WordPress Admins Urged to Remove miniOrange Plugins Due to Critical Flaw (source)
- PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) (source)
- Ivanti fixes RCE vulnerability reported by NATO cybersecurity researchers (CVE-2023-41724) (source)
- Week in review: Ivanti fixes RCE vulnerability, Nissan breach affects 100,000 individuals (source)