[ad_1]
The Important Addons for Elementor WordPress plugin, with over 1,000,000 customers not too long ago patched a number of vulnerabilities that might have allowed malicious attackers to run arbitrary code on a focused WordPress web site.
LFI to RCE Assault Vulnerability
In accordance with the U.S. Authorities NIST web site, vulnerabilities on the Important Addons for Elementor plugin made it attainable for an attacker to launch a a Native File Inclusion assault, which is an exploit that enables an attacker to trigger a WordPress set up to disclose delicate info and skim arbitrary information.
From there the assault might result in a extra critical assault referred to as a Distant Code Execution (RCE). Distant Code Execution is a extremely critical type of assault during which a hacker is ready to run arbitrary code on a WordPress website and trigger a spread of injury, together with a full website takeover.
For instance, a Native File Inclusion assault might be achieved by altering the URL parameters to one thing that might reveal delicate info.
This was made attainable as a result of the Important Addons for Elementor WordPress plugin didn’t correctly validate and sanitize information.
Knowledge Sanitization is a course of for limiting the sort of info that’s attainable to be enter. In easy phrases, information sanitization might be regarded as a lock that enables solely a particular enter, a key with a particular sample. A failure to carry out information sanitization might be analogous to a lock that enables any key to open it.
In accordance with the US Authorities Nationwide Vulnerability Database:
“The Important Addons for Elementor WordPress plugin earlier than 5.0.5 doesn’t validate and sanitise some template information earlier than it them in embody statements, which might permit unauthenticated attackers to carry out Native File Inclusion assault and skim arbitrary information on the server, this might additionally result in RCE through consumer uploaded information or different LFI to RCE methods.”
Safety website WPScan who have been those to find first uncover and report the vulnerability printed the next description:
“The plugin doesn’t validate and sanitise some template information earlier than it them in embody statements, which might permit unauthenticated attackers to carry out Native File Inclusion assault and skim arbitrary information on the server, this might additionally result in RCE through consumer uploaded information or different LFI to RCE methods.”
Important Addons for Elementor Patched
The vulnerability was introduced on the Nationwide Vulnerability Database website on February 1, 2022.
However the “Lite” model Important Addons for Elementor plugin has been patching vulnerabilities for the reason that finish of January, based on the Important Addons Lite changelog.
A changelog is a software program log of all adjustments made for every model that’s up to date. It’s a report of the whole lot that was modified.
Curiously, the changelog for the Professional model does solely mentions “Few minor bug fixes and enhancements” however makes zero point out of the safety fixes.
Screenshot of Important Addons For Elementor Professional Changelog

Why is the safety repair info lacking from the Professional model of the WordPress plugin?
Changelog for the Lite model of Important Addons for Elementor Lite Plugin
The changelog for the Lite model protecting variations 5.0.3 to five.0.5 have been up to date from January 25 – 28, 2022 to repair the next points:
- Mounted: Parameter sanitization in dynamic widgets
- Improved: Sanitized template file paths for Safety Enhancement
- Improved: Enhanced Safety to stop inclusion of undesirable file type distant server by way of ajax request
The changelog notes that right now on February 2, 2022 the next safety enhancement was carried out for model 5.0.6:
- Improved: Knowledge sanitization, validation & escaping for Safety Enhancement
What’s the Most secure Model of Important Addons for Elementor Plugin?
The U.S. Authorities Vulnerability Database has not assigned a severity rating, so it’s unclear presently how unhealthy the vulnerability is.
Nevertheless, a distant code execution vulnerability is especially regarding so it’s in all probability a good suggestion to replace to the very newest model of the Important Addons plugin.
The WPScan web site states that the vulnerabilities have been fastened in Important Addons for Elementor Plugin model 5.0.5.
Nevertheless the plugin changelog for the Lite model of the plugin states that model 5.0.6 fixes an extra information sanitization concern right now, on February 22, 2022.
So it could be prudent to replace to not less than model 5.0.6.
Citations
Learn the WPScan Vulnerability Report
Important Addons for Elementor < 5.0.5 – Unauthenticated LFI
Learn the US Authorities Report on the Vulnerability
Learn the Important Addons for Elementor Plugin Lite Changelog
Important Addons for Elementor Lite Plugin Changelog
Learn the Changelog for Important Addons for Elementor Professional
!function(f,b,e,v,n,t,s) {if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}; if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0'; n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0]; s.parentNode.insertBefore(t,s)}(window,document,'script', 'https://connect.facebook.net/en_US/fbevents.js');
if( typeof sopp !== "undefined" && sopp === 'yes' ){ fbq('dataProcessingOptions', ['LDU'], 1, 1000); }else{ fbq('dataProcessingOptions', []); }
fbq('init', '1321385257908563');
fbq('track', 'PageView');
fbq('trackSingle', '1321385257908563', 'ViewContent', { content_name: 'wordpress-vulnerability-in-essential-addons-for-elementor', content_category: 'news wp ' });
[ad_2]
