Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in – Dark Reading
Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.
February 2, 2022
Potentially tens — and even hundreds — of thousands of websites powered by WordPress are vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.
The plug-in has over 1 million installations worldwide and is designed to let website owners add a variety of customizations to pages that were built using the Elementor page builder for WordPress.
An independent security researcher recently discovered the flaw in versions 5.0.4 and below of Essential Addons for Elementor and reported the issue to the developer of the plug-in. The developer then released an updated version with a fix for the vulnerability. But researchers at PatchStack, a WordPress plug-in security vendor, tested the patch and found it to be defective. They reported it to the developer, and another version — this one with a fix that worked — was issued on Jan. 28.
In a blog post, PatchStack said the vulnerability gives any user — regardless of their authentication or authorization status — a way to perform a so-called local file inclusion attack on a site with a vulnerable version of the Elementor plug-in. The vulnerability can be exploited to include local files — such as one with malicious PHP code — on the file system of the website that can then be remotely executed.
According to PatchStack, the vulnerability has to do with the way in which the plug-in handles user input data when certain functions are called. Because of this, the vulnerability manifests only if widgets that utilize these functions are used.
Pravin Madhani, CEO and co-founder of K2 Cyber Security, describes local file inclusion (LFI) attacks as a technique for getting a Web application to run specific files on a Web server. "Typically, LFI occurs when an application uses the path to a file as input," Madhani says. "If the application treats this input as trusted, a local file may be used in the include statement."
More WordPress Security Woes
For operators of WordPress websites, the latest flaw is only the latest in a long list of security vulnerabilities they have had to deal with over the years. Many of the issues have had to do with plug-ins for the platform. In January, for instance, another WordPress security vendor, Wordfence, reported discovering a vulnerability — the same one — across three separate plug-ins for WordPress. The issue affected some 84,000 websites.
In December, researchers at JetPack reported two vulnerabilities — an authenticated privilege escalation bug (CVE-2021-25036) and an authentication SQL injection bug (CVE-2021-25037) in a WordPress plug-in called All in One SEO. The vulnerabilities affected some 3 million websites when they were first disclosed. Yet another vulnerability that Wordfence disclosed in November, this time in a plug-in called Starter Templates — Elementor, Gutenberg & Beaver Builder Templates, impacted some 1 million websites.
Organizations can mitigate their exposure to these threats by implementing some basic best practices, Madhani says.
These include the need to keep WordPress applications up to date and properly patched. Organizations also need to only keep plug-ins that they are actively using and ensure that the plug-ins, too, are kept updated and patched. Having multilayered security controls is critical as well, he says.
This ideally should include edge security, runtime application security, and server security, he says. As examples, he points to Web application firewalls, runtime application security control, and endpoint point detection and response technologies.
"Keep up to date on the incidents reported by your tools, and follow up on reports regularly, especially any critical security incidents," Madhani advises. "Make sure you have good password rules and password security (like MFA) for your WordPress site."
Jai Vijayan, Contributing Writer
Contributing Writer, Dark Reading
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.
You May Also Like
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Making Sense of Security Operations Data
Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
API Security: Protecting Your Application's Attack Surface
Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
Black Hat Asia - April 16-19 - Learn More
Black Hat Spring Trainings - March 12-15 - Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Increased Cooperation Between Access Brokers, Ransomware Operators Reviewed
IT Zero Trust vs. OT Zero Trust: It's all about Availability
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
2023 Snyk AI-Generated Code Security Report
2023 Software Supply Chain Attack Report
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity's Hottest New Technologies - Dark Reading March 21 Event
Black Hat Asia - April 16-19 - Learn More
Black Hat Spring Trainings - March 12-15 - Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.
source