A critical security vulnerability was recently discovered in the Essential Addons for Elementor, a plugin that has over a million active installations on the WordPress plugin repository.
The plugin is used to “enhance your Elementor page building experience with 80+ creative elements and extensions“. One of those “creative elements” is the dynamic and product gallery widgets where the vulnerable code was found.
The Vulnerability
The vulnerability allows a malicious user to perform a Remote Code Execution, as well as a local file inclusion attack, which simply means that a malicious user could trick the affected server into serving local files on the filesystem of the website, such as the sensitive /etc/passwd file, or worst, a hacker with knowledge of the RCE hole could coerce the server into running a malicious script.
The code responsible for the vulnerability is only present when the dynamic or product gallery widgets are in use, and it looks something like this:
// ...
$template_info = $_REQUEST['template_info'];
// ...
$file_path = sprintf(
'%s/Template/%s/%s',
$file_path,
$template_info[ 'name' ],
$template_info[ 'file_name' ]
);
// ...
$html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings, 'link_settings' => $link_settings, 'iterator' => $iterator ] );
// ...
public static function include_with_variable( $file_path, $variables = [])
{
if (file_exists($file_path)) {
extract($variables);
ob_start();
include $file_path;
return ob_get_clean();
}
return '';
}
What this does is fill $template_info with user input data from $_REQUEST, which is taken from the URL or POST payload. This is then blindly joined with other values to create a file path with no safety checks.
And since no security checks were done on the constructed file path, a malicious user could easily exploit this by passing a payload consisting of, say, “../../../../etc/passwd”, which would navigate back to the server’s root directory and then descend back down to the system’s /etc/ directory to serve the passwd file. Essentially giving them access to very sensitive user information on your site. And worst, there are also multiple ways this could be exploited to run malicious scripts – opening a Remote Code Execution (RCE) hole.
The Patches
The vulnerability was originally discovered in v5.0.3 of the Essential Addons for Elementor plugin by Wai Yan Myo Thet, an independent threat researcher. The plugin creators were promptly informed about the vulnerability and subsequently made multiple patches to neutralize the security hole.
The first patch, v5.0.4 only applied WordPress sanitize_text_field function over the user input data – which is insufficient to stop a payload consisting of dangerous characters such as “../”. The second patch, v5.0.5 used WordPress sanitize_file_name function to remove special characters that are illegal in filenames, including dots and slashes, such as “../”. The third patch, v5.0.6 added more security using PHP’s realpath function.
Version 5.0.6 is considered sufficient to neutralize the vulnerability. If you’re using the Elementor plugin, there’s a chance that you’ll also be using the Essential Addons for Elementor. Then you should check to make sure you’re using the latest version of both plugins, or at least v5.0.6 of the Essential Addons for Elementor plugin. Better still, run a free scan of your website against our massive database of known WordPress vulnerabilities and get instant access to your scan results.