The plugin Essential Addons for Elementor (versions 5.0.4 and below) with over 1 million active installations has recently been in news for a critical vulnerability classified as Unauthenticated LFI. The vulnerability was originally discovered by Wai Yan Myo Thet and here is the description as stated by WP Scan,
The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.
And here’s the explanation of the vulnerability by Patchstack,
This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack. This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.
The described vulnerability was finally fixed in version 5.0.5, after several insufficient patches by the plugin developer.
The WordPress changelog for the plugin reads:
5.0.5 – 28/01/2022
Improved: Enhanced Security to prevent inclusion of unwanted file form remote server through ajax request
Table of Contents
Security vulnerability in Essential Addons for Elementor
Unauthenticated Local File Inclusion
- Affected versions: versions 5.0.4 and below
- CVE-ID (Common Vulnerabilities and Exposures ID): CVE-2022-0320
- CVSS Score: 8.6 (High Severity)
- OWASP TOP 10: A1: Injection
The plugin offers 80+ creative elements and extensions for Elementor page builder. However the vulnerability only exists if widgets dynamic gallery and product gallery are used. The LFI vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.
Here’s the vulnerable code in Essential Addons for Elementor plugin allowing for unauthenticated local file inclusion:
// ...
$template_info = $_REQUEST['template_info'];
// ...
$file_path = sprintf(
'%s/Template/%s/%s',
$file_path,
$template_info[ 'name' ],
$template_info[ 'file_name' ]
);
// ...
$html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings, 'link_settings' => $link_settings, 'iterator' => $iterator ] );
// ...
public static function include_with_variable( $file_path, $variables = [])
{
if (file_exists($file_path)) {
extract($variables);
ob_start();
include $file_path;
return ob_get_clean();
}
return '';
}
$template_info gets it’s value from user input data taken from $_REQUEST, which is taken from the URL or POST payload. This data is then concatenated with some other values into a file path. This file path is passed on to the function include_with_variable as part of the HelperClass class. This function takes the file path and includes it which allows for the local file inclusion vulnerability to exist.
The patch was attempted in versions 5.0.3 and 5.0.4 consecutively but the issue was finally fixed in version 5.0.5 when the plugin author implemented PHP’s “realpath” function, preventing malicious pathname resolutions.
Recommendation: Essential Addons for Elementor plugin
Is your site still running versions <= 5.0.5 of Essential Addons for Elementor plugin? It’s time to update to the latest version and also run a complete website scan using our malware scanner to make sure there are no signs of infection.