The core plugin for Elementor WordPress, with over a million users recently patching several vulnerabilities that could have allowed malicious attackers to run arbitrary code on a targeted WordPress site.
Vulnerability in LFI to RCE Attack
According to the US government’s NIST website, vulnerabilities found in the Essential Addons for Elementor plugin made it possible for an attacker to launch a local file include attack, an exploit that allows an attacker to cause a WordPress installation to reveal sensitive information and random reads. files.
From there the attack can lead to a more dangerous attack called Remote Code Execution (RCE). Remote code execution is a very dangerous form of attack where a hacker can run arbitrary code on a WordPress site and cause a range of damage, including taking over the entire site.
For example, a local file include attack can be performed by changing the URL parameters to something that can reveal sensitive information.
This was made possible because the Essential Addons for Elementor WordPress plugin did not properly validate and sanitize the data.
Data sanitization is the process of reducing the type of information that can be entered. In simple terms, data sanitization can be thought of as a lock that only allows specific input, a key with a specific pattern. Failing to perform data cleansing can be analogous to a lock allowing any key to open.
According to the US government National Vulnerability Database:
Elementor WordPress plugin core plugins prior to 5.0.5 do not validate and sanitize some template data prior to them in include statements, which could allow unauthenticated attackers to perform a Local File Inclusion attack and read arbitrary files on the server, and this could also lead to RCE via User-uploaded files or other LFI technologies for RCE technologies”.
WPScan security site who first discovered and Report the vulnerability Post the following description:
The plugin does not pre-validate and sanitize some template data in include statements, which could allow unauthenticated attackers to perform a local file include attack and read arbitrary files on the server, and could also lead to RCE via user-uploaded files or LFI other RCE technologies.”
The element’s core additions are patched
The vulnerability was announced on the National Vulnerability Database website on February 1, 2022.
But the “Lite” Essential Addons for Elementor add-on has been patching the vulnerabilities since the end of January, according to the Essential Addons Lite changelog.
A changelog is a log file of all changes made for each version of the software, such as a WordPress plugin, that is updated. It is a record of everything that has changed.
The purpose of a change log is to record what has changed as well as to provide transparency to program users, who can review it before the update and decide if the update is significant or takes some time and test the plugin on a staging site to see if the changes affect other plugins and the theme in use .
Oddly enough, the changelog in the Pro version only mentions “a few minor bug fixes and improvements” but never mentions security fixes.
Screenshot of Essential Addons For Elementor Pro Changelog
Why is security fix information missing from the Pro version of the WordPress plugin?
Changelog for the Lite version of the core plugin for the Elementor Lite plugin
Updated the changelog for the Lite version covering versions 5.0.3 to 5.0.5 from January 25 to 28, 2022 to fix the following issues:
- Static: Sanitize parameters in dynamic tools
- Improved: Sanitized template file paths for improved security
- Improved: Improved security to prevent spam file from being included from a remote server through an ajax request
The changelog indicates that today, February 2, 2022, the following security improvements were made for version 5.0.6:
- Improved: Data scrubbing, validation, and escapes for improved security
What is the most secure version of the Elementor plugin core extensions?
The US government’s vulnerability database does not specify a severity, so it is unclear at this time how bad the vulnerability is.
However, the remote code execution vulnerability is particularly concerning, so it’s probably a good idea to update to the latest version of the Essential Addons plugin.
The WPScan website states that the vulnerabilities have been fixed in Essential Addons for Elementor Plugin version 5.0.5.
However, the plugin changelog for the Lite version of the plugin shows that version 5.0.6 fixes the additional data sanitization issue today, on February 22, 2022.
So it might be wise to update to at least version 5.0.6.