Some 600,000 websites running on WordPress are currently vulnerable due to a leak in a popular plugin. The vulnerability in the Essential Addons for Elementor plugin allows hackers to take over sites remotely through Remote Code Execution (RCE). Website owners are advised to install version 5.0.5 as soon as possible. This closes the leak.
Cybersecurity company Patchstack writes this in a weblog. The vulnerability came to light thanks to security researcher Wai Yan Myo Thet.
Vulnerability in popular WordPress plugin
This is a vulnerability in the Elementor plugin. It is a so-called page builder that developers use to replace the standard WordPress editor. Simply put, this plugin offers more options to set up a site to your own taste.
Over time, many expansions have been released for Elementor. One of them is Essential Addons. Whoever installs this plugin gets more than 80 extra elements and extensions to design his site. It is a popular plugin among website builders: the statistics show that the plugin has been installed on more than one million sites.
Security update available
A vulnerability in Essential Addons allowed unauthorized users to perform a so-called Local File Inclusion Attack. This gives hackers and other malicious parties access to a website and allows them to remotely infect a site with malicious code. This is also known as Remote Code Execution (RCE). The only requirement was that users had enabled the ‘Dynamic Gallery’ and ‘Product Gallery’ widgets.
Security researcher Wai Yan Myo Thet reported the vulnerability to the plugin developer on Tuesday, January 25. He said he was already aware of the vulnerability and