A security flaw has been identified in the Essential Addons for Elementor plugin, a very popular feature on the WordPress platform used on over a million websites. The vulnerability occurs in software versions 5.0.4 and earlier and allows unauthenticated users to run code on the website. The problem has been fixed in version 5.0.5, now available for upgrade.
The vulnerability was discovered a week ago — on January 25 — by Wai Yan Myo Thet, a researcher at PatchStack. According to him, the developer of Essential Addons for Elementor already knew about the security flaw at the time and even released a version to solve the problem.
However, the creator of the program was unable to fix the flaw and added new functions to prevent the vulnerability in patch 5.0.4, but the plugin only received an effective update with the latest version, released on January 28th.
Malicious code execution
A local file inclusion attack can be carried out by any user, independent of their authentication or authorization status. This technique can be used to inject malicious PHP code into files or include local files on the website system. More than 600,000 websites, according to Bleeping Computer, have yet to apply the vulnerability security update.
Users using the Essential Addons for Elementor plugin can get the latest version of the software from this link or update directly from the WordPress dashboard.