Security News > 2022 > January > 600K WordPress sites impacted by critical plugin RCE vulnerability

Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution vulnerability in version 5.0.4 and older.

The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.

"The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that are part of the ajax load more and ajax eael product gallery functions." explains PatchStack researchers who discovered the vulnerability.

Researcher Wai Yan Muo Thet discovered the vulnerability on January 25, 2022, and the plugin developer already knew about its existence at that time.

With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.

Don't include files on a web server that can be compromised, but use a database instead. Make the server send download headers automatically instead of executing files in a specified directory.

News URL

https://www.bleepingcomputer.com/news/security/600k-wordpress-sites-impacted-by-critical-plugin-rce-vulnerability/