Elementor is a popular WordPress plugin used in over a million sites that provides easy-to-use and creative elements to improve the appearance of the pages.
The plugin is affected by a critical remote code execution vulnerability that impacts version 5.0.4 and prior one. An unauthenticated user can exploit the vulnerability to perform a LFI attack, such as a PHP file, to remotely gain code execution on sites running a vulnerable version of the plugin.
The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include function that are part of the ajax_load_more and ajax_eael_product_gallery functions.
Initially, the development team tried to fix the flaw by implementing a “sanitize_text_field” function on the user input data. But it’s been discovered, that still possible the inclusion of local payloads, then a second patch was applied to version 5.0.4.
The new patch invokes the WordPress sanitize file_name function. The function removes special characters that are not admitted in filenames, such as dots and slashes, in order to prevent local file inclusion attacks. Unfortunately, this version was still vulnerable and requested an additional review.
Version 5.0.5 was released on January 28, 2022, and it was installed only on 380,000 WordPress websites, more than 600K sites are still using a potentially vulnerable version.