A WordPress plugin with above one particular million installs has been identified to comprise a critical vulnerability that could result in the execution of arbitrary code on compromised web sites.
The plugin in question is Vital Addons for Elementor, which provides WordPress internet site homeowners with a library of more than 80 aspects and extensions to assist style and design and customize web pages and posts.
“This vulnerability permits any person, no matter of their authentication or authorization status, to execute a neighborhood file inclusion attack,” Patchstack stated in a report. “This attack can be applied to incorporate community files on the filesystem of the internet site, these as /and so on/passwd. This can also be employed to perform RCE by like a file with destructive PHP code that ordinarily can’t be executed.”
That mentioned, the vulnerability only exists if widgets like dynamic gallery and item gallery are applied, which use the vulnerable operate, ensuing in community file inclusion – an attack strategy in which a web software is tricked into exposing or working arbitrary files on the webserver.
The flaw impacts all variations of the addon from 5..4 and underneath, and credited with getting the vulnerability is researcher Wai Yan Myo Thet. Subsequent accountable disclosure, the security gap was at last plugged in version 5..5 introduced on January 28 “after various insufficient patches.”
The advancement comes weeks soon after it emerged that unidentified actors tampered with dozens of WordPress themes and plugins hosted on a developer’s web site to inject a backdoor with the goal of infecting further more web pages.
Discovered this article interesting? Follow THN on Fb, Twitter and LinkedIn to browse additional exclusive content we article.
Some components of this write-up are sourced from: