A popular WordPress plugin has active install more than a million and has patched a critical vulnerability that would allow for a local file inclusion attack.
Essential Addons for Elementor one of the most popular WordPress Plugin Patches Critical Security Vulnerability.
Security researcher Wai Yan Myo discovered the vulnerability and reported it to Patchstack on January 25, 2022. As soon as issues were known to the WPDeveloper who issued two insufficient patches before it was finally fixed in version 5.0.5
According to report this vulnerability allows any user, to perform a local file inclusion attack regardless of their authentication. This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.
The primary impact was only for those users who have the dynamic gallery and product gallery widgets in their posts.
When we looked at the plugin’s changelog it likely seems like an enhancement rather than a serious security concern, just going through the changelog user may not be fully aware that they need to update the plugin. But it is highly recommended to update the plugin.
The version below 5.0 is considered vulnerable
According to WordPress.org stats, approximately 54% of the plugin’s users are running an older version than 5.0.5
These stats show that there are still half a million users who are still in the vulnerable zone if they have used those specific widgets. What we recommend is simply updating the plugin as soon as possible.