Local File Inclusion (LFI) vulnerability in WordPress Ultimate Addons for WPBakery Page Builder Plugin

A Local File Inclusion (LFI) vulnerability has been identified in the WordPress Ultimate Addons for WPBakery Page Builder Plugin. This vulnerability could allow a malicious actor to include local files of the target website and show its output on the screen. Files that store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration.

This vulnerability was discovered and responsibly reported by Rafie Muhammad (Patchstack).

The vulnerability is an LFI vulnerability that occurs in the ultimate-addons-for-wpbakery-page-builder.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to include arbitrary local files on the website.

Severity:

The vulnerability has a CVSS 3.1 score of 7.6, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

All versions of the Ultimate Addons for WPBakery Page Builder Plugin prior to 3.19.15 are affected by this vulnerability.

Impact:

An attacker who successfully exploits this vulnerability could:

Include local files of the target website, such as configuration files, which may contain sensitive information such as database credentials.
Gain access to sensitive information stored in the website’s files.
Modify or delete files on the website.
Take complete control of the website.

Recommendation:

To secure a WordPress website effectively, it is imperative to take the following steps:

Update the Plugin: Immediately update the Ultimate Addons for WPBakery Page Builder Plugin to the latest version, specifically version 3.19.15 or higher. This update contains the necessary security fixes to address the LFI vulnerability.
Regularly Update Plugins: It’s not just this plugin; make it a practice to regularly update all WordPress plugins and themes to their latest versions. Keeping website components up to date is a fundamental security measure.
Enhance Security Measures: Consider implementing additional security measures, such as web application firewalls (WAFs), strong authentication protocols, and regular security audits. A comprehensive security strategy is essential to minimize potential exploitation attempts.

Local File Inclusion (LFI) vulnerability in WordPress Ultimate Addons for WPBakery Page Builder Plugin

Severity:

Affected Versions:

Impact:

Recommendation:

Related Articles

Critical XSS vulnerability in Molongui Plugin

Critical SQL Injection Vulnerability in Ultimate Product Catalogue Plugin

Cross-Site Scripting (XSS) vulnerability in WordPress Motors – Car Dealer & Classified Ads Plugin

Fixing High-Severity XSS Vulnerability in Image Photo Gallery Final Tiles Grid Plugin

Arbitrary File Upload vulnerability in WordPress Form Maker by 10Web Plugin

WordPress Custom My Account for Woocommerce Plugin Cross-Site Request Forgery (CSRF) Vulnerability

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin