WEBSITE 2 DESIGN

Alert: Vulnerability on Essential Addons For Elementor WordPress Plugin - Updated 31 Jan, 2022

February 2, 2022

Essential Addons for Elementor WordPress plugin affected by a critical Remote Code Execution (RCE) vulnerability that severely impacts v5.0.4 and older.

Vulnerability Fixed Patch update - 31 January, 2022

Essential Addons for Elementor is a free and popular WordPress plugin and it is an addon for the Famous Elementor Page Builder.

The vulnerability was discovered by Wai Yan Myo Thet, the flaw can be exploited only if websites have used the “Dynamic Gallery” and “Product Gallery” widgets enabled so that a none token check is present.

This nonce token is only visible when these widgets are enabled.

Any user regardless of their authentication or authorization status can exploit the vulnerability to perform a local file inclusion attack, such as a malicious PHP file that normally cannot be executed, to remotely gain code execution on sites running a vulnerable version of the plugin.

This attack can be used to include local files on the filesystem of the website, such as /etc/passwd.

The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.

The snippets of code that was causing the vulnerability:

// ...
$template_info = $_REQUEST['template_info'];
// ...
$file_path = sprintf(
    '%s/Template/%s/%s',
    $file_path,
    $template_info[ 'name' ],
    $template_info[ 'file_name' ]
);
// ...
$html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings, 'link_settings' => $link_settings, 'iterator' => $iterator ] );
// ...
public static function include_with_variable( $file_path, $variables = [])
{
    if (file_exists($file_path)) {
        extract($variables);

        ob_start();

        include $file_path;

        return ob_get_clean();
    }

    return '';
}

First, $template_info is filled with user input data taken from $_REQUEST, which is taken from the URL or POST payload. This is then concatenated with some other values into a file path. This file path is passed on to the function include_with_variable as part of the HelperClass class. This function takes the file path and includes it which allows for the local file inclusion vulnerability to exist.

Essential Addons for Elementor Patch

First Patch

A first patch attempt was applied to version 5.0.3 of the plugin. Unfortunately, the patch, which can be seen below, was not sufficient. This only applies the sanitize_text_field function of WordPress over the user input data, but this does not prevent local file inclusion attacks as its only purpose is to: check for invalid UTF-8, convert single < characters to entities, strips all tags, remove line breaks, tabs, and extra whitespace and strip octets. A payload consisting of ../ would still pass this function.

Second Patch

The second patch was applied to version 5.0.4 of the plugin. This patch, which can be seen below, calls the sanitize_file_name function of WordPress. This function removes a large number of special characters that are illegal in filenames, including dots and slashes that would be used in local file inclusion attacks.

Third Patch

The third patch was applied to version 5.0.5 of the plugin which can be seen below. This adds more security by making use of PHP's realpath function. This function returns the canonicalized absolute pathname by expanding all symbolic links and resolves references to ., ../, etc. in the input path.

Timeline For This Vulnerability

  • 25-01-2022 – We discovered the vulnerability in Essential Addons for Elementor and released a virtual patch to all Patchstack paid version customers.
  • 25-01-2022 – We reached out to the developer of the plugin. The issue was known to them as it was reported to them already. We made the comment that their current patch is insufficient.
  • 28-01-2022 – The developer released version 5.0.5 which contains a sufficient patch.
  • 31-01-2022– Added the vulnerability to the Patchstack vulnerability database.
  • 31-01-2022 – Published the article.

Solution

It is recommended that we share this information with our friends and colleagues and let them update the plugin to the latest version 5.0.5 or greater to avoid getting a critical malware attack. Additionally, it is always a good practice to have a Daily Backup of your website, so if you lose your website access a backup would be the best way to retrieve back the site.

Leave a Reply

Your email address will not be published.