Remote Code Execution (RCE) Vulnerability
This security hole makes it possible for attackers to trick the plugin into accessing and including a server-side file by using a filename supplied in the incoming web request. This means a malicious visitor could trick an unpatched server into handing out a file it’s not supposed to, such as the server’s own username database, or force the server into running a script it shouldn’t, creating a remote code execution (RCE) hole.
Webserver RCE bugs are typically used to implant malware that allows the attackers to do something to your immediate detriment. Familiar examples of how cybercriminals exploit RCE bugs include:
- Opening up a backdoor, so they can sell access to your server onto other crooks.
- Launching a cryptominer to steal your electricity or cloud services to generate money for themselves.
- Setting up network surveillance tools to snoop on and steal your own or your customers’ data.
What Should You Do?
Essential Addons for Elementor users need to check that you have version 5.0.6 or later. WordPress Elementor users can check if they have the plugin and update by following these instructions:
- Login to your WordPress site
- On the menu on the left-hand side, find ‘Plugins‘ and click on it
- Scroll down to find ‘Essential Addons for Elementor‘
- If a patch is available, it will tell you in a yellow box that ‘There is a new version of Essential Addons for Elementor available.’
- Click on ‘Update Now‘ to patch the plugin
- Bonus: You can enable ‘auto-updates’ by clicking on ‘Enable Auto-Updates‘ on the right-hand side
You have a Vulnerability Alert Management Process, right?
If you’re a subscriber to either CyberHoot’s Security Awareness Tool (SAT), or our virtual Chief Information Security Officer (vCISO) services, you’ll have access to our Policy and Process library which create your own Vulnerability Alert Management Process (VAMP) for handling these situations. This document prescribes how categorize different vulnerability alerts, and then respond in each situation according to the risk (i.e.: what time frame). If your company has not yet adopted a VAMP-like process, now is a great time to get started, but only after you patch/upgrade your WordPress site.