Threat Advisory

Elementor Plugin vulnerable to Remote Code Execution

February 4, 2022 | By Accorian

WordPress is the most widely used CMS and also the most infamous one. When it comes to being secure, it is only as secure as any other similar platform, depending on how it is configured and maintained. All software, tools, and platforms must be updated and patched in a timely fashion to maintain security.

A critical security issue, Local File Inclusion (LFI) was identified in the WordPress plugin – Essential Addons for Elementor v5.0.4 and below. LFI attack allows an attacker to include local files on the file system. This could be used to exfiltrate sensitive data or even lead to code execution attacks where an attacker will include a file with malicious code and execute it with the help of this flaw.

It was observed that the vulnerability exists only if the widgets – Dynamic gallery and product Gallery are used. This can be exploited due to how the user input is used inside PHP’s include function in the ajax load more and ajax_eael_product_gallery functions. 

It has been confirmed that the vulnerability has now been completely fixed in version 5.0.5 of Essential Addons for Elementor while the previous 2 fixes remained flawed and incomplete.

Accorian can help you

  • Identify this and any such security issue that your website may be vulnerable to
  • Identify all vulnerable plugins and components that are being used
  • Fix the identified vulnerabilities with appropriate fixes and patches


It is advised that:

  • All plugins, components, software, and tools are updated regularly as patches and fixes are released. 
  • Test the patches on a UAT before applying them on production setup to ensure the patch does not break your application or service.
  • All user input is being validated and the application does not trust any user input.
  • Nulled plugins and themes are never used.
  • A WordPress WAF (Web Application Firewall) be used to protect the application.
  • It would be ideal to carry out a quick vulnerability scan to understand on a high-level the vulnerable plugins that are being used and the possible damage that they could cause. Subsequently, carry out complete application penetration tests which will help identify all the security flaws in the application, and upon remediation, the exercise will strengthen the security posture.

We are here if you need us. You can reach out to me on my email, and if you would like to schedule a call with me, here’s my availability (Schedule a meeting with me)

Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide