WordPress plugin exposes half a million sites to attack
Users told to update Essential Addons for Elementor WordPress plugin immediately
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A popularWordPressplugin used by more than a million websites all over the world has been found to be carrying a critical remote code execution (RCE) flaw that allowed potential malicious actors to perform a local file inclusion attack.
Cbersecurity researcher Wai Yan Muo Thet discovered the vulnerability in the Essential Addons for Elementor plugin on January 25, 2022, and reported it to Patchstack the same day.
WPDeveloper, the owner of thepluginin question, was already aware of the vulnerability, and has already made two unsuccessful attempts to fix the issue.
Fixing the issue
“The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions,” PatchStack explained.
The only thing the vulnerable site needs, is to have the “dynamic gallery” and “product gallery” widgets enabled, it added.
Versions 5.0.3 and 5.0.4 both tried to address the problem, which was finally solved in version 5.0.5. At the moment, some 400,000 websites have upgraded the plugin, meaning roughly 600,000 are still vulnerable.
Those running Essential Addons for Elementor have two ways to go about fixing the issue: either downloading the latest version from this link, or heading over to the WordPress dashboard and triggering the update directly from there.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
A million WordPress sites are at risk due to plugin vulnerability>Yet another WordPress plugin vulnerability leaves over one million websites exposed>Another major WordPress plugin vulnerability puts thousands of sites at risk
WordPress plugins have proved popular targets for hackers attacking major vulnerabilities in recent months. In November 2021, researchers found a website takeover flaw in the Preview E-mails for WooCommerce addon, while in December 2021, a vulnerability in the popular WPS Hide Login plugin could have allowed attackers access to a site’s administrator login page.
The good news is that the plugins’ owners are usually quick to react, when the vulnerabilities are disclosed. Webmasters runningWordPress sitesare advised to keep all of their addons updated at all times, to bring the risk of an attack down to a minimum.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Squarespace just launched its biggest update ever. I asked what that means for your business
Shopify just made it easier to access all your financial tools in one place
The M4 Mac mini has removable, modular storage – and an important SSD upgrade
