Multiple versions of WordPress plugin ‘Essential Addons for Elementor’ are vulnerable to remote code execution (RCE). The plugin is used by hundreds of thousands of websites. The vulnerability is present in every version prior to 5.0.5.
Its attack surface is huge. According to WordPress, the plugin is installed on at least 1 million websites. Version 5.0.5 has been available since January 28 to patch the problem. The update was downloaded about 380,000 times, meaning roughly 600,000 websites remain at risk.
The vulnerability allows an unauthorized user to input a file (for example, .php) into a website to execute code. The method is commonly known as a file inclusion attack. Local access is required. Furthermore, the ‘dynamic gallery’ and ‘product gallery’ widgets from Essential Addons for Elementor must be enabled.
Essential Addons for Elementor patch
Wai Yan Muo Thet, a researcher at Patchstack, confirmed the vulnerability on January 25. At this time, the developer of Essential Addons for Elementor was well-aware of the problem.
Before Patchstack’s investigation, the developer attempted to patch the vulnerability twice: first with version 5.0.3, then with version 5.0.4. Patchstack examined the effectiveness of the patch in version 5.0.4. The vulnerability was still present. Patchstack’s feedback allowed the developer to fix the issue in version 5.0.5.
5.0.5 is available on this page and the WordPress dashboard. Updating is the most effective measure.
Tip: WordPress 5.9 available – themes customizable with no-code interface