If your website runs on WordPress and you use the Elementor website builder then your site could be at risk. A plugin called Essential Addons for Elementor, a popular tool for adding visual features such as timelines, image galleries, and price lists was found to have a vulnerability.
An independent threat researcher called Wai Yan Myo Thet recently discovered the file inclusion vulnerability in the plugin.
Essential Addons for Elementor Vulnerability
The file inclusion vulnerability exists because of the way user input data is handled. The data input by the user is concatenated with some other values into a file path. This file path is passed to a function that allows for the local file inclusion vulnerability to exist. The input by the user is never validated before being passed to the function.
Simply put, a malicious visitor could trick an unpatched site into serving up a file it’s not supposed to. For example, an attacker could run code that would give them access to the server’s database or force the server into running a script it shouldn’t. This could allow an attacker to:
Open a backdoor so they can continue to access the server
Launch a cryptominer to steal your cloud services to generate money for themselves
Setup network surveillance tools to steal your own customer’s data
How to fix it
There was a patch released in version 5.0.3 of the plugin. Unfortunately, that patch did not resolve the issue. A second patch, 5.0.4 was released that removed some special characters that are illegal filenames that would be used in a local file inclusion attack. This helped reduce the risk, but still didn’t completely remove the vulnerability. A third patch, 5.0.5, adds more security by making use of PHP’s realpath function.
If you use Essential Addons for Elementor:
Check that you have version 5.0.6 or later. As mentioned above the previous patches didn’t fully address the issue
Make sure your web developer is validating all their inputs. User inputted data cannot be trusted