Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in

Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.

3 Min Read
computer screen with wordpress logo
Source: monticello via Shutterstock

Potentially tens — and even hundreds — of thousands of websites powered by WordPress are vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.

The plug-in has over 1 million installations worldwide and is designed to let website owners add a variety of customizations to pages that were built using the Elementor page builder for WordPress.

An independent security researcher recently discovered the flaw in versions 5.0.4 and below of Essential Addons for Elementor and reported the issue to the developer of the plug-in. The developer then released an updated version with a fix for the vulnerability. But researchers at PatchStack, a WordPress plug-in security vendor, tested the patch and found it to be defective. They reported it to the developer, and another version — this one with a fix that worked — was issued on Jan. 28.

In a blog post, PatchStack said the vulnerability gives any user — regardless of their authentication or authorization status — a way to perform a so-called local file inclusion attack on a site with a vulnerable version of the Elementor plug-in. The vulnerability can be exploited to include local files — such as one with malicious PHP code — on the file system of the website that can then be remotely executed.

According to PatchStack, the vulnerability has to do with the way in which the plug-in handles user input data when certain functions are called. Because of this, the vulnerability manifests only if widgets that utilize these functions are used.

Pravin Madhani, CEO and co-founder of K2 Cyber Security, describes local file inclusion (LFI) attacks as a technique for getting a Web application to run specific files on a Web server. "Typically, LFI occurs when an application uses the path to a file as input," Madhani says. "If the application treats this input as trusted, a local file may be used in the include statement."

More WordPress Security Woes
For operators of WordPress websites, the latest flaw is only the latest in a long list of security vulnerabilities they have had to deal with over the years. Many of the issues have had to do with plug-ins for the platform. In January, for instance, another WordPress security vendor, Wordfence, reported discovering a vulnerability — the same one — across three separate plug-ins for WordPress. The issue affected some 84,000 websites. 

In December, researchers at JetPack reported two vulnerabilities — an authenticated privilege escalation bug (CVE-2021-25036) and an authentication SQL injection bug (CVE-2021-25037) in a WordPress plug-in called All in One SEO. The vulnerabilities affected some 3 million websites when they were first disclosed. Yet another vulnerability that Wordfence disclosed in November, this time in a plug-in called Starter Templates — Elementor, Gutenberg & Beaver Builder Templates, impacted some 1 million websites.

Organizations can mitigate their exposure to these threats by implementing some basic best practices, Madhani says.

These include the need to keep WordPress applications up to date and properly patched. Organizations also need to only keep plug-ins that they are actively using and ensure that the plug-ins, too, are kept updated and patched. Having multilayered security controls is critical as well, he says.

This ideally should include edge security, runtime application security, and server security, he says. As examples, he points to Web application firewalls, runtime application security control, and endpoint point detection and response technologies. 

"Keep up to date on the incidents reported by your tools, and follow up on reports regularly, especially any critical security incidents," Madhani advises. "Make sure you have good password rules and password security (like MFA) for your WordPress site."

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights