WordPress Plugin Vulnerability Affects 600,000 Websites

The vulnerability was discovered a week ago — on January 25 — by Wai Yan Myo Thet, a researcher at PatchStack. According to him, the developer of Essential Addons for Elementor already knew about the security flaw at the time and even released a version to solve the problem.

Code example that allows failure.

However, the creator of the program was unable to fix the flaw and added new functions to prevent the vulnerability in patch 5.0.4, but the plugin only received an effective update with the latest version, released on January 28th.

Malicious code execution

A local file inclusion attack can be carried out by any user, independent of their authentication or authorization status. This technique can be used to inject malicious PHP code into files or include local files on the website system. More than 600,000 websites, according to Bleeping Computer, have yet to apply the vulnerability security update.

Users using the Essential Addons for Elementor plugin can get the latest version of the software from this link or update directly from the WordPress dashboard.

Facebook Comments Box