A plugin with a very serious RCE (remote code execution) vulnerability was once again available for the most widespread itorial system WordPress. This plugin is us by over one million users, approximately 600,000 of whom have not yet updat to the latest secure version.
A serious security flaw concerns the Essentials Addons for Elementor plugin , which is an extension for the most us Elementor pagebuilder. All versions older than 5.0.5 are affect. If you haven’t already done so, please update this plugin immiately.
Technical description of the error
The error was discover by the technology company Patchstack . The “dynamic gallery” and “product gallery” widgets are enabl for this attack.
Subsequently, the attacker is able russia phone number data to load a locally stor file (including PHP) on the server by simply calling a GET or POST request to the server.
Two fail bug fixes
The interesting thing about this august 2024 results – 51.5k turnover and 11k profit discover vulnerability is that the authors of the plugin releas two patch versions that still contain the same bug. The final patch was not complet until January 28th in version 5.0.5.
Recommendation
The usual advice about not installing unknown plugins wouldn’t help you this time, as this plugin had over a million installs. One would expect that it would not contain such a critical error.
Nevertheless, I encourage you to read my article on basic WordPress security tips that will make most common attacks at least noticeably more difficult.
https://www.interval.cz/clanky/zakladni-tipy-pro-zabezpeceni-wordpressu/
Keep WordPress safe with CZECHIA.com
Professional web hosting service provider CZECHIA.com will set up WordPress web hosting for you on a server with a Linux operating system, support for the latest PHP version, and an automatically pre-install WordPress itorial system.
In addition, you will get a pre-install SSL certificate from SSLmarket.cz , regular web hosting backups and the option to return to the previous version and automatic WordPress core update. Of course, there is help in setting up the rirection of cz lists requests to https and also the basic security of the administration – the GeoIP module.