A critical RCE vulnerability exists in Essential Addons for Elementor, a popular WordPress plugin (version 5.0.4 and older) that is used by over a million websites.
The vulnerability allows an unauthorized user to inject (file inclusion) a local file, such as PHP, to execute arbitrary code on the site.
The PatchStack experts who discovered the issue explainthat the bug is related to the ajax_load_more and ajax_eael_product_gallery functions. That is, the necessary condition for the attack is the presence of dynamic gallery and product gallery widgets on the site, so that there is no check for the absence of a token.
The vulnerability was identified on January 25, 2022, but by that time the plugin developers were already aware of its existence. They originally released version 5.0.3 to solve the problem by applying sanitize_text_field to user input. However, this did not help, and a second attempt to fix the bug was introduced in version 5.0.4, where sanitize_file_name was used, as well as the removal of special characters.
Alas, the second fix did not work either, and eventually, with the help of PatchStack experts, version 5.0.5 was released, which implemented the realpath PHP function, which prevents malicious pathname resolutions.
Corrected version, according to official statistics, has been installed about 380,000 times. This means that 600,000 sites are still vulnerable, and their operators have not yet installed patches.
Source: xaker.ru