Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical remote code execution (RCE) vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site.

<p>WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of eCommerce sites, so WordPress security should be of top concern to organizations.</p>
<p>In particular, remote code execution (RCE) vulnerabilities, such as the one found in the popular WordPress plugin Essential Addons for Elementor, are one of the most dangerous vulnerabilities, because they give the attacker the ability to run almost any code on the hacked site. Flaws like RCE and XSS (Cross Site Scripting) have long been listed on the OWASP Top 10, so why aren’t WordPress web sites better equipped to protect against these attacks?</p>
<p>The simplest thing any organization can do to help reduce vulnerabilities is to keep their code (WordPress, plugins, SQL server-MySQL/MariaDB, web server-NGINX/Apache) up to date and patched. In addition, enterprises should add runtime application security solutions which will protect against attacks exploiting OWASP and other critical vulnerabilities, and provide virtual patches for applications.</p>