Elementor is one of the most successful WordPress add-ons that enable users to create WordPress websites without coding. Its drag-and-drop style comes with several ready-to-use widgets. Just like the other popular plugins, Elementor also has third-party addons that enhance its functions. Essential Addons for Elementor is one of them.
RCE is possible
The cybersecurity researchers discovered LFI (Local File Inclusion) vulnerability on Essential Addons for Elementor addon. Website owners with the addon version 5.0.4 and below should be aware. The bug lets any user perform a local file inclusion attack. This flaw allows attackers to include a file with malicious PHP code to leverage an RCE (Remote Code Execution).
The flaw only works when the widgets use the vulnerable function, so not all websites with Essential Addons for Elementor installed are exposed. Dynamic Gallery and Product Gallery widgets are using flawed code. You can see the function that causes vulnerability below:
$template_info = $_REQUEST['template_info'];
// ...
$file_path = sprintf(
'%s/Template/%s/%s',
$file_path,
$template_info[ 'name' ],
$template_info[ 'file_name' ]
);
// ...
$html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings, 'link_settings' => $link_settings, 'iterator' => $iterator ] );
// ...
public static function include_with_variable( $file_path, $variables = [])
{
if (file_exists($file_path)) {
extract($variables);
ob_start();
include $file_path;
return ob_get_clean();
}
return '';
}
As Patchstack reports, the addon developers were aware of this situation and tried to fix it with the 5.0.3 version. However, the fix was not sufficient. Then 5.0.4 version was released to resolve the issue. Finally, the 5.0.5 version adds more security by using PHP’s realpath function.
Users of the Essential Addons for Elementor should immediately apply the update to avoid vulnerability.