The vulnerability was found by safety researcher Wai Yan Myo Thet and reported to Patchstack on January 25, 2022. Patchstack prospects acquired a digital patch the identical day. The problem was already identified to the plugin’s builders, WPDeveloper, who issued two inadequate patches earlier than it was in the end fastened in model 5.0.5.
Patchstack printed a abstract of the vulnerability and defined how WordPress websites utilizing the plugin might be compromised:
This vulnerability permits any consumer, no matter their authentication or authorization standing, to carry out a neighborhood file inclusion assault. This assault can be utilized to incorporate native recordsdata on the filesystem of the web site, equivalent to /and many others/passwd. This may also be used to carry out RCE by together with a file with malicious PHP code that usually can’t be executed.
It’s vital to notice that the vulnerability primarily impacts customers who’ve the dynamic gallery and product gallery widgets in use.
The plugin’s changelog makes the replace appear extra like an enhancement than a critical safety concern, so customers will not be totally conscious that they should replace:
5.0.5 – 28/01/2022
Improved: Enhanced Safety to forestall inclusion of undesirable file type distant server by ajax request
5.0.4 – 27/01/2022
Improved: Sanitized template file paths for Safety Enhancement
Added: Assist for brand new Functionality Queries for WordPress 5.9
Fastened: Elementor Popups not being triggered
Few minor bug fixes & enhancements
All variations sooner than 5.0.5 are thought-about weak. WordPress.org stats don’t break down lively installs based on minor variations, however roughly 54% of the plugin’s customers are operating variations older than 5.0.
Whereas this may look like greater than half one million customers are nonetheless weak, they’d additionally must be utilizing the precise widgets in query. If you’re unsure in case you are utilizing these widgets together, it’s finest to easily replace as quickly as doable anyway.