Updated: 01.27.2022
Critical Vulnerability Fixed In Essential Addons for Elementor Plugin
Dave
from patchstack

A critical vulnerability was fixed in the WordPress plugin Essential Addons for Elementor.

Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack Community (Free) plan and monitor up to 99 websites for free.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

Update February 1st, 2022: we would like to make clear that we did not originally discover this vulnerability. Researcher Wai Yan Myo Thet is the original discoverer of the vulnerability and also reported it to the developer of the plugin through or with help of WPScan.

The plugin Essential Addons for Elementor (versions 5.0.4 and below), which has over 1 million active installations, suffers from a critical vulnerability that was originally discovered by Wai Yan Myo Thet. This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack.

This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed.

best elementor addon Essential Addons for Elementor

The plugin is described as a plugin that can enhance your Elementor page-building experience with 80+ creative elements and extensions. Add powers to your page builder using our easy-to-use elements that were designed to make your next WordPress page and post design easier and prettier than ever before.

The described vulnerability was fixed in version 5.0.5, after several insufficient patches by the developer of the plugin.

The security vulnerability in Essential Addons for Elementor

The local file inclusion vulnerability exists due to the way user input data is used inside of PHP's include function that is part of the ajax_load_more and ajax_eael_product_gallery functions.

It should be noted that the vulnerability only exists if widgets (dynamic gallery, product gallery) are used which utilize these functions due to the fact that a nonce token check is present. This nonce token is only visible when these widgets are enabled.

The snippets of code that cause the vulnerability look like the following:

// ...
$template_info = $_REQUEST['template_info'];
// ...
$file_path = sprintf(
    '%s/Template/%s/%s',
    $file_path,
    $template_info[ 'name' ],
    $template_info[ 'file_name' ]
);
// ...
$html .= HelperClass::include_with_variable( $file_path, [ 'settings' => $settings, 'link_settings' => $link_settings, 'iterator' => $iterator ] );
// ...
public static function include_with_variable( $file_path, $variables = [])
{
    if (file_exists($file_path)) {
        extract($variables);

        ob_start();

        include $file_path;

        return ob_get_clean();
    }

    return '';
}

First, $template_info is filled with user input data taken from $_REQUEST, which is taken from the URL or POST payload. This is then concatenated with some other values into a file path.

This file path is passed on to the function include_with_variable as part of the HelperClass class. This function takes the file path and includes it which allows for the local file inclusion vulnerability to exist.

The patch in Essential Addons for Elementor

A first patch attempt was applied to version 5.0.3 of the plugin. Unfortunately, the patch, which can be seen below, was not sufficient.

This only applies the sanitize_text_field function of WordPress over the user input data, but this does not prevent local file inclusion attacks as its only purpose is to: check for invalid UTF-8, convert single < characters to entities, strips all tags, remove line breaks, tabs, and extra whitespace and strip octets. A payload consisting of ../ would still pass this function.

Essential Addons for Elementor

The second patch was applied to version 5.0.4 of the plugin. This patch, which can be seen below, calls the sanitize_file_name function of WordPress. This function removes a large number of special characters that are illegal in filenames, including dots and slashes that would be used in local file inclusion attacks.

Critical Vulnerability Fixed In Essential Addons for Elementor Plugin

The third patch was applied to version 5.0.5 of the plugin which can be seen below. This adds more security by making use of PHP's realpath function.

This function returns the canonicalized absolute pathname by expanding all symbolic links and resolves references to ., ../, etc. in the input path.

Critical Vulnerability Fixed In Essential Addons for Elementor Plugin

Timeline

25-01-2022 - We came across the vulnerability when it was caught by our monitoring tools. We released a virtual patch to all Patchstack paid version customers.
25-01-2022 - We reached out to the developer of the plugin. The issue was known to them as it was reported to them already. We made the comment that their current patch is insufficient.
28-01-2022 - The developer released version 5.0.5 which contains a sufficient patch.
31-01-2022- Added the vulnerability to the Patchstack vulnerability database.
31-01-2022 - Published the article.

Websites with Patchstack paid version are protected from the issue and have received a virtual patch.

Share This Article
Related Articles
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu