A potentially harmful vulnerability has been found in a popular WordPress plugin used by more than a million websites globally.
The Essential Addons for Elementor plugin was found to be carrying a critical Remote Code Execution (RCE) flaw that allows potentially malicious attackers to perform a local file inclusion attack.
An RCE attack allows attackers to remotely execute malicious code on a computer. RCE attacks can range from malware execution to an attacker taking full control of a compromised machine.
Read also : Inflation skyrockets to two-year high
The vulnerability was discovered by Cybersecurity researcher Wai Yan Muo Thet in the plugin on January 25th, 2022, and was reported to PatchStack. Later, PatchStack customers also received a virtual update the very same day.
Patchstack is a WordPress security firm that aims to protect websites from plugin vulnerabilities.
Before the attack, the owner of the plugin WPDeveloper, was already aware of the vulnerability and had made two unsuccessful attempts to mitigate the issue.
Previously, versions 5.0.3 and 5.0.4 of the plugin attempted to resolve the issue but failed. A complete patch was released last week, with the roll-out of version 5.0.5.
More than a million WordPress websites use Essential Addons for Elementor. However, it is unclear how many of them have the widgets enabled. While more than 400,000 websites have already updated their installations to the patched versions of the plugin, 600,000 of these websites still remain potentially vulnerable.
