Issued: Thursday, 3 February, 2022 |
Last Revision: Thursday, 3 February, 2022 |
Vendor: |
Product: |
Severity Level: |
There has been a discovery of a critical vulnerability in a WordPress plugin with over one million installations that could lead to the execution of arbitrary code on a compromised website.
The plugin is known as Essential Add-ons for “Elementor”, the plugin gives WordPress site owner/admin access to over 80 elements and extensions to design and customize pages and posts.
A local file inclusion attack can be carried out by any user, independent of their authentication or authorisation status. Local files on the website's file system, such as /etc/passwd, can be included using this approach. Additionally, a vulnerable version of the plugin can also be used to perform remote code execution by adding malicious PHP code that is normally not executable.
However, the vulnerability arises only if widgets such as dynamic gallery and product gallery are utilized, as they utilise the vulnerable function, resulting in the inclusion of local files.
WordPress releases version 5.0.5 to fix this vulnerability.
CVE/Vulnerability | Description | CVSS3.0 Score |
n/a | Remote Code Execution Vulnerability | n/a |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) |
n/a | WordPress Version 5.0.4 and older |
Table 2: Vulnerable versions
Organizations are encouraged to verify the usage of vulnerable plugin in their in-house developed and/or hosted websites and apply the patch as soon as possible.