Alert: Vulnerability on Essential Addons For Elementor WordPress Plugin - Updated 31 Jan, 2022
February 2, 2022
Essential Addons for Elementor WordPress plugin affected by a critical Remote Code Execution (RCE) vulnerability that severely impacts v5.0.4 and older.
Vulnerability Fixed Patch update - 31 January, 2022
Essential Addons for Elementor is a free and popular WordPress plugin and it is an addon for the Famous Elementor Page Builder.
The vulnerability was discovered by Wai Yan Myo Thet, the flaw can be exploited only if websites have used the “Dynamic Gallery” and “Product Gallery” widgets enabled so that a none token check is present.
This nonce token is only visible when these widgets are enabled.
Any user regardless of their authentication or authorization status can exploit the vulnerability to perform a local file inclusion attack, such as a malicious PHP file that normally cannot be executed, to remotely gain code execution on sites running a vulnerable version of the plugin.
This attack can be used to include local files on the filesystem of the website, such as /etc/passwd.
The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.
The snippets of code that was causing the vulnerability:
// ...
$template_info = $_REQUEST['template_info'];
// ...
$file_path = sprintf(
'%s/Template/%s/%s',
$file_path,
$template_info[ 'name' ],
$template_info[ 'file_name' ]
);
// ...
$html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings, 'link_settings' => $link_settings, 'iterator' => $iterator ] );
// ...
public static function include_with_variable( $file_path, $variables = [])
{
if (file_exists($file_path)) {
extract($variables);
ob_start();
include $file_path;
return ob_get_clean();
}
return '';
}First, $template_info is filled with user input data taken from $_REQUEST, which is taken from the URL or POST payload. This is then concatenated with some other values into a file path. This file path is passed on to the function include_with_variable as part of the HelperClass class. This function takes the file path and includes it which allows for the local file inclusion vulnerability to exist.
A first patch attempt was applied to version 5.0.3 of the plugin. Unfortunately, the patch, which can be seen below, was not sufficient. This only applies the sanitize_text_field function of WordPress over the user input data, but this does not prevent local file inclusion attacks as its only purpose is to: check for invalid UTF-8, convert single < characters to entities, strips all tags, remove line breaks, tabs, and extra whitespace and strip octets. A payload consisting of ../ would still pass this function.
The second patch was applied to version 5.0.4 of the plugin. This patch, which can be seen below, calls the sanitize_file_name function of WordPress. This function removes a large number of special characters that are illegal in filenames, including dots and slashes that would be used in local file inclusion attacks.
The third patch was applied to version 5.0.5 of the plugin which can be seen below. This adds more security by making use of PHP's realpath function. This function returns the canonicalized absolute pathname by expanding all symbolic links and resolves references to ., ../, etc. in the input path.
It is recommended that we share this information with our friends and colleagues and let them update the plugin to the latest version 5.0.5 or greater to avoid getting a critical malware attack. Additionally, it is always a good practice to have a Daily Backup of your website, so if you lose your website access a backup would be the best way to retrieve back the site.
Warning: Undefined array key "preview" in /home/lkap42pX2mcsn4pm/Website2Design/public_html/wp-content/plugins/oxygen/component-framework/components/classes/comment-form.class.php on line 79