This security hole makes it possible for attackers to trick the plugin into accessing and including a server-side file by using a filename supplied in the incoming web request. This means a malicious visitor could trick an unpatched server into handing out a file it’s not supposed to, such as the server’s own username database, or force the server into running a script it shouldn’t, creating a remote code execution (RCE) hole.
Webserver RCE bugs are typically used to implant malware that allows the attackers to do something to your immediate detriment. Familiar examples of how cybercriminals exploit RCE bugs include:
Essential Addons for Elementor users need to check that you have version 5.0.6 or later. WordPress Elementor users can check if they have the plugin and update by following these instructions:
If you’re a subscriber to either CyberHoot’s Security Awareness Tool (SAT), or our virtual Chief Information Security Officer (vCISO) services, you’ll have access to our Policy and Process library which create your own Vulnerability Alert Management Process (VAMP) for handling these situations. This document prescribes how categorize different vulnerability alerts, and then respond in each situation according to the risk (i.e.: what time frame). If your company has not yet adopted a VAMP-like process, now is a great time to get started, but only after you patch/upgrade your WordPress site.