Security Advisory: Elementor WordPress Plugin

2nd February 2022 | Advisory, Blog

February 2nd, 2022: CyberHoot has investigated a WordPress vulnerability tracked as CVE-2022-0320, whereby a security flaw can lead to data leakage and more importantly remote code execution. The security gap affects WordPress sites using Essential Addons for Elementor, a popular editing tool for WordPress authors. This vulnerability is Internet accessible leading CyberHoot to give this a 10 out of 10 for criticality if you operate an exposed WordPress site. You must take immediate action to patch your systems to the latest version of Essential Addons for Elementor.

Remote Code Execution (RCE) Vulnerability

This security hole makes it possible for attackers to trick the plugin into accessing and including a server-side file by using a filename supplied in the incoming web request. This means a malicious visitor could trick an unpatched server into handing out a file it’s not supposed to, such as the server’s own username database, or force the server into running a script it shouldn’t, creating a remote code execution (RCE) hole.

Webserver RCE bugs are typically used to implant malware that allows the attackers to do something to your immediate detriment. Familiar examples of how cybercriminals exploit RCE bugs include:

Opening up a backdoor, so they can sell access to your server onto other crooks.
Launching a cryptominer to steal your electricity or cloud services to generate money for themselves.
Setting up network surveillance tools to snoop on and steal your own or your customers’ data.

What Should You Do?

Essential Addons for Elementor users need to check that you have version 5.0.6 or later. WordPress Elementor users can check if they have the plugin and update by following these instructions:

Login to your WordPress site
On the menu on the left-hand side, find ‘Plugins‘ and click on it
Scroll down to find ‘Essential Addons for Elementor‘
If a patch is available, it will tell you in a yellow box that ‘There is a new version of Essential Addons for Elementor available.’
Click on ‘Update Now‘ to patch the plugin
- Bonus: You can enable ‘auto-updates’ by clicking on ‘Enable Auto-Updates‘ on the right-hand side

You have a Vulnerability Alert Management Process, right?

If you’re a subscriber to either CyberHoot’s Security Awareness Tool (SAT), or our virtual Chief Information Security Officer (vCISO) services, you’ll have access to our Policy and Process library which create your own Vulnerability Alert Management Process (VAMP) for handling these situations. This document prescribes how categorize different vulnerability alerts, and then respond in each situation according to the risk (i.e.: what time frame). If your company has not yet adopted a VAMP-like process, now is a great time to get started, but only after you patch/upgrade your WordPress site.