Potentially tens – if not hundreds – of thousands of WordPress-powered websites are vulnerable to attack via a remote code execution (RCE) bug in a widely used plugin called Essential Addons for Elementor.
The plugin has over 1 million installs worldwide and is designed to allow website owners to add a variety of customizations to pages created using Elementor Page Builder for WordPress.
An independent security researcher recently discovered the flaw in Essential Addons for Elementor versions 5.0.4 and lower and reported the issue to the plugin developer. The developer then released an updated version with a fix for the vulnerability. But researchers from PatchStack, a WordPress plugin security vendor, tested the patch and found it flawed. They reported it to the developer, and another build – this one with a fix that worked – was released on January 28.
In a blog post, PatchStack said the vulnerability gives any user – regardless of authentication or authorization status – a means to perform a so-called local file inclusion attack on a site with a version Vulnerable Elementor Plugin. The vulnerability can be exploited to include local files – such as one with malicious PHP code – on the website’s file system which can then be executed remotely.
According to PatchStack, the vulnerability is related to how the plugin handles user input data when certain functions are called. For this reason, the vulnerability only manifests if widgets using these functions are used.
Pravin Madhani, CEO and co-founder of K2 Cyber Security, describes Local File Inclusion (LFI) attacks as a technique that allows a web application to execute specific files on a web server. “Generally, LFI occurs when an application uses the path to a file as input,” says Madhani. “If the application treats this input as trusted, a local file can be used in the include statement.”
No more WordPress security issues
For WordPress website operators, the latest flaw is just the latest in a long list of security vulnerabilities they have faced over the years. Many issues are related to platform plugins. In January, for example, another WordPress security vendor, Wordfence, reported discovering a vulnerability – the same one – in three separate plugins for WordPress. The issue affected some 84,000 websites.
In December, JetPack researchers reported two vulnerabilities – an authenticated privilege escalation bug (CVE-2021-25036) and an authentication SQL injection bug (CVE-2021-25037) in a plug-in. in WordPress called All in One SEO. The vulnerabilities affected some 3 million websites when first disclosed. Another vulnerability disclosed by Wordfence in November, this time in a plugin called Starter Templates – Elementor, Gutenberg & Beaver Builder Templates, affected around 1 million websites.
Organizations can mitigate their exposure to these threats by implementing some basic best practices, Madhani says.
These include the need to keep WordPress applications updated and properly patched. Organizations should also keep only plug-ins that they actively use and ensure that plug-ins are updated and patched as well. Having multi-layered security controls is also essential, he says.
This should ideally include edge security, runtime application security, and server security, he says. As examples, he cites web application firewalls, runtime application security monitoring, and endpoint detection and response technologies.
“Keep abreast of incidents reported by your tools and follow up on reports regularly, especially critical security incidents,” Madhani advises. “Make sure you have good password policies and password security (like MFA) for your WordPress site.”