Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plugin

Potentially tens – if not hundreds – of thousands of WordPress-powered websites are vulnerable to attack via a remote code execution (RCE) bug in a widely used plugin called Essential Addons for Elementor.

The plugin has over 1 million installs worldwide and is designed to allow website owners to add a variety of customizations to pages created using Elementor Page Builder for WordPress.

An independent security researcher recently discovered the flaw in Essential Addons for Elementor versions 5.0.4 and lower and reported the issue to the plugin developer. The developer then released an updated version with a fix for the vulnerability. But researchers from PatchStack, a WordPress plugin security vendor, tested the patch and found it flawed. They reported it to the developer, and another build – this one with a fix that worked – was released on January 28.

In a blog post, PatchStack said the vulnerability gives any user – regardless of authentication or authorization status – a means to perform a so-called local file inclusion attack on a site with a vulnerable version of the Elementor plugin. The vulnerability can be exploited to include local files – such as one with malicious PHP code – on the website’s file system which can then be executed remotely.

According to PatchStack, the vulnerability is related to how the plugin handles user input data when certain functions are called. For this reason, the vulnerability only manifests if widgets using these functions are used.

Pravin Madhani, CEO and co-founder of K2 Cyber ​​Security, describes Local File Inclusion (LFI) attacks as a technique that allows a web application to execute specific files on a web server. “Generally, LFI occurs when an application uses the path to a file as input,” says Madhani. “If the application treats this input as trusted, a local file can be used in the include statement.”

No more WordPress security issues
For WordPress website operators, the latest flaw is just the latest in a long list of security vulnerabilities they have faced over the years. Many issues are related to platform plugins. In January, for example, another WordPress security provider, Wordfence, reported to have discovered a vulnerability — the same — on three separate plugins for WordPress. The issue affected some 84,000 websites.

In December, researchers from jet-pack reported two vulnerabilities – an authenticated privilege escalation bug (CVE-2021-25036) and an authentication SQL injection bug (CVE-2021-25037) in a WordPress plugin called All in One SEO. The vulnerabilities affected some 3 million websites when first disclosed. Yet another vulnerability than Wordfence unveiled in Novemberthis time in a plugin called Starter Templates – Elementor, Gutenberg & Beaver Builder Templates, hit around 1 million websites.

Organizations can mitigate their exposure to these threats by implementing some basic best practices, Madhani says.

These include the need to keep WordPress applications updated and properly patched. Organizations should also keep only plug-ins that they actively use and ensure that plug-ins are updated and patched as well. Having multi-layered security controls is also essential, he says.

This should ideally include edge security, runtime application security, and server security, he says. As examples, he cites web application firewalls, runtime application security monitoring, and endpoint detection and response technologies.

“Keep abreast of incidents reported by your tools and follow up on reports regularly, especially critical security incidents,” Madhani advises. “Make sure you have good password policies and password security (like MFA) for your WordPress site.”

Esther L. Gunn