The Essential Addons for Elementor WordPress plugin, with over a million users recently patched multiple vulnerabilities that could have allowed malicious attackers to run arbitrary code on a targeted WordPress website.
LFI to RCE Attack Vulnerability
According to the U.S. Government NIST website, vulnerabilities on the Essential Addons for Elementor plugin made it possible for an attacker to launch a a Local File Inclusion attack, which is an exploit that allows an attacker to cause a WordPress installation to reveal sensitive information and read arbitrary files.
From there the attack could lead to a more serious attack called a Remote Code Execution (RCE). Remote Code Execution is a highly serious form of attack in which a hacker is able to run arbitrary code on a WordPress site and cause a range of damage, including a full site takeover.
As an example, a Local File Inclusion attack can be accomplished by changing the URL parameters to something that could reveal sensitive information.
This was made possible because the Essential Addons for Elementor WordPress plugin did not properly validate and sanitize data.
Data Sanitization is a process for limiting the kind of information that is possible to be input. In simple terms, data sanitization can be thought of as a lock that allows only a specific input, a key with a specific pattern. A failure to perform data sanitization could be analogous to a lock that allows any key to open it.
According to the United States Government National Vulnerability Database:
“The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.”
Security site WPScan who were the ones to discover first discover and report the vulnerability published the following description: