HomeNews & updatesWordPress Vulnerability in Essential Addons for Elementor - Search Engine Journal

WordPress Vulnerability in Essential Addons for Elementor – Search Engine Journal

Discover SEO trends from some of the top SEO professionals. They will tell you just about everything you need to know to succeed in 2023.
Discover SEO trends from some of the top SEO professionals. They will tell you just about everything you need to know to succeed in 2023.
Discover what PPC trends you need to know in 2023 if you want to drive more traffic, leads, and conversions, make the most of your budget, and stay ahead of your competition.
This ebook shows you how to meet customers at each stage of their journey and create compelling content that converts.
Want to know what makes a Facebook ad effective and how to set up your campaigns for success?
How do you create web content that’s digestible for search engines while simultaneously providing a user-friendly experience?
1+ Million WordPress sites affected by vulnerabilities that could lead to remote code execution attacks
The Essential Addons for Elementor WordPress plugin, with over a million users recently patched multiple vulnerabilities that could have allowed malicious attackers to run arbitrary code on a targeted WordPress website.
According to the U.S. Government NIST website, vulnerabilities on the Essential Addons for Elementor plugin made it possible for an attacker to launch a a Local File Inclusion attack, which is an exploit that allows an attacker to cause a WordPress installation to reveal sensitive information and read arbitrary files.
From there the attack could lead to a more serious attack called a Remote Code Execution (RCE). Remote Code Execution is a highly serious form of attack in which a hacker is able to run arbitrary code on a WordPress site and cause a range of damage, including a full site takeover.
As an example, a Local File Inclusion attack can be accomplished by changing the URL parameters to something that could reveal sensitive information.
This was made possible because the Essential Addons for Elementor WordPress plugin did not properly validate and sanitize data.
Data Sanitization is a process for limiting the kind of information that is possible to be input. In simple terms, data sanitization can be thought of as a lock that allows only a specific input, a key with a specific pattern. A failure to perform data sanitization could be analogous to a lock that allows any key to open it.
According to the United States Government National Vulnerability Database:
“The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.”
Security site WPScan who were the ones to discover first discover and report the vulnerability published the following description:
“The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.”
The vulnerability was announced on the National Vulnerability Database site on February 1, 2022.
But the “Lite” version Essential Addons for Elementor plugin has been patching vulnerabilities since the end of January, according to the Essential Addons Lite changelog.
A changelog is a log file of all the changes made for each version of a software program, like a WordPress plugin, that is updated. It is a record of everything that was changed.
The purpose of the changelog is as a record for what was changed as well as to provide transparency to the users of the software, who can review it prior to updating and decide whether the update is important or to take some time and test the plugin on a staging site to see if the changes impact other plugins and the theme in use.
Curiously, the changelog for the Pro version does only mentions “Few minor bug fixes and improvements” but makes zero mention of the security fixes.
Changelog for Essential Addons for Elementor Plugin
Why is the security fix information missing from the Pro version of the WordPress plugin?
The changelog for the Lite version covering versions 5.0.3 to 5.0.5 were updated from January 25 – 28, 2022 to fix the following issues:
The changelog notes that today on February 2, 2022 the following security enhancement was performed for version 5.0.6:
The U.S. Government Vulnerability Database has not assigned a severity score, so it’s unclear at this time how bad the vulnerability is.
However, a remote code execution vulnerability is particularly concerning so it’s probably a good idea to update to the very latest version of the Essential Addons plugin.
The WPScan website states that the vulnerabilities were fixed in Essential Addons for Elementor Plugin version 5.0.5.
However the plugin changelog for the Lite version of the plugin states that version 5.0.6 fixes an additional data sanitization issue today, on February 22, 2022.
So it may be prudent to update to at least version 5.0.6.
Essential Addons for Elementor < 5.0.5 – Unauthenticated LFI
CVE-2022-0320 Detail
Essential Addons for Elementor Lite Plugin Changelog
Essential Addons for Elementor Pro Changelog
Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and …
Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!
Subscribe to SEJ
Get your daily recap of the latest search news, advice, and trends.
Educating and empowering the SEO community by providing the freshest news and latest best practices via the industry’s smartest practitioners.
Copyright © 2022 Search Engine Journal. All rights reserved. Published by Alpha Brand Media.

source

- Advertisment -


Most Popular

- Advertisment -