Essential Addons for Elementor Patches Critical Security Vulnerability

Essential Addons for Elementor Patches Critical Security Vulnerability

Essential Addons for Elementor, a popular plugin with more than a million active installs, has patched a critical vulnerability that would allow for a local file inclusion attack.

The vulnerability was discovered by security researcher Wai Yan Myo Thet and reported to Patchstack on January 25, 2022. Patchstack customers received a virtual patch the same day. The issue was already known to the plugin’s developers, WPDeveloper, who issued two insufficient patches before it was ultimately fixed in version 5.0.5.

Patchstack published a summary of the vulnerability and explained how WordPress sites using the plugin could be compromised:

This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack. This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.

It’s important to note that the vulnerability primarily impacts users who have the dynamic gallery and product gallery widgets in use.

The plugin’s changelog makes the update seem more like an enhancement than a serious security concern, so users may not be fully aware that they need to update:

5.0.5 – 28/01/2022
Improved: Enhanced Security to prevent inclusion of unwanted file form remote server through ajax request
5.0.4 – 27/01/2022
Improved: Sanitized template file paths for Security Enhancement
Added: Support for new Capability Queries for WordPress 5.9
Fixed: Elementor Popups not being triggered
Few minor bug fixes & improvements

All versions earlier than 5.0.5 are considered vulnerable. WordPress.org stats don’t break down active installs according to minor versions, but approximately 54% of the plugin’s users are running versions older than 5.0.

While this might seem like more than half a million users are still vulnerable, they would also need to be using the specific widgets in question. If you are not sure if you are using these widgets in combination, it’s best to simply update as soon as possible anyway.

5 Homebuying Lessons From Last Year’s Unsuccessful Buyers

Record-low housing inventory, high prices and low mortgage rates made an interesting backdrop for the 2021 real estate market. Millions fought tooth and nail to close on homes throughout the year, but millions more were unsuccessful in their attempts. The 2021 housing market was booming, but that doesn’t mean buying a house was a breeze….

Why You Can Expect to Pay More for Car Insurance This Year

The pandemic sparked a shift in the world of car insurance. Despite providing customers an estimated $16.4 billion in refunds, auto insurance profits increased as fewer Americans drove and the number of auto claims dropped. But the pandemic continues to shift the industry, and now an increase in insurance costs is expected this year. Supply-chain…

Smart Money Podcast: No-Spend Month, and Making Money While Raising Kids

Welcome to NerdWallet’s Smart Money podcast, where we answer your real-world money questions. This week’s episode starts with a discussion about how to make a no-spend month work for you. Then we pivot to this week’s money question from a listener’s voicemail. Here it is: “Hi, my name is Hannah, and I am calling because…