Pierluigi Paganini February 01, 2022

A critical RCE in the popular WordPress plugin Essential Addons for Elementor impacts hundreds of thousands of websites.

Essential Addons for Elementor is a popular WordPress plugin used in over a million sites that provides easy-to-use and creative elements to improve the appearance of the pages.

The plugin is affected by a critical remote code execution (RCE) vulnerability that impacts version 5.0.4 and older.

An unauthenticated user can exploit the vulnerability to perform a local file inclusion attack, such as a PHP file, to remotely gain code execution on sites running a vulnerable version of the plugin.

“This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.” reads the analysis published by PatchStack. “The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.”

The vulnerability was discovered by Wai Yan Myo Thet, the flaw can be exploited only if websites have the “dynamic gallery” and “product gallery” widgets enabled so that a none token check is present.

Initially, the development team attempted to fix the flaw by implementing a “sanitize_text_field” function on the user input data. However, experts discovered that it was still possible the inclusion of local payloads, then a second patch was applied to version 5.0.4. The new patch invokes the WordPress sanitize file_name function. The function removes special characters that are not admitted in filenames, such as dots and slashes, in order to prevent local file inclusion attacks. Unfortunately, this version was still vulnerable and requested an additional review.

“The third patch was applied to version 5.0.5 of the plugin which can be seen below. This adds more security by making use of PHP’s realpath function. This function returns the canonicalized absolute pathname by expanding all symbolic links and resolves references to ., ../, etc. in the input path.” continues the analysis.

Version 5.0.5 was released on January 28, 2022, and at the time of this writing, it was installed only on 380,000 WordPress websites, this means that more than 600K sites are still using a potentially vulnerable version.

Below is the timeline for this vulnerability:

• 25-01-2022 – We discovered the vulnerability in Essential Addons for Elementor and released a virtual patch to all Patchstack paid version customers.
• 25-01-2022 – We reached out to the developer of the plugin. The issue was known to them as it was reported to them already. We made the comment that their current patch is insufficient.
• 28-01-2022 – The developer released version 5.0.5 which contains a sufficient patch.
• 31-01-2022– Added the vulnerability to the Patchstack vulnerability database.
• 31-01-2022 – Published the article.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]