A PHP Object Injection vulnerability has been identified in the WordPress Themesflat Addons For Elementor Plugin. This vulnerability allows an attacker to inject arbitrary PHP code into the affected website, potentially compromising the security of the website and its visitors. This high-severity plugin vulnerability was detected and responsibly disclosed by Robert Rowley.
The vulnerability is a PHP Object Injection vulnerability that occurs in the class-tesflat-addons-for-elementor.php file. The vulnerability allows an attacker to inject arbitrary PHP code into the affected website by specifying a specially crafted URL in the id parameter of the get_addons function.
Severity:
The vulnerability has a CVSS 3.1 score of 8.3, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
Affected Versions:
The vulnerability affects WordPress websites that use the Themesflat Addons For Elementor Plugin prior to version 2.0.1.
Impact:
An attacker who successfully exploits this vulnerability could inject arbitrary PHP code into the affected website, which could then be executed by any visitor to the website. This could lead to a variety of security risks, such as:
- Code execution
- Data exfiltration
- Denial of service
- Phishing attacks
- Malware infections
Recommendation:
Given the high severity of this vulnerability, immediate action is essential to protect the WordPress website:
- Update Immediately: Ensure Themesflat Addons For Elementor Plugin is updated to at least version 2.0.1, or the most recent available version.
- Regular Security Audits: Regularly conduct comprehensive security audits on the WordPress website. Identifying and addressing vulnerabilities proactively is essential to maintain a robust security posture.
- Stay Informed: Stay informed about official updates or advisories associated with the Themesflat Addons For Elementor Plugin. Timely updates and heightened awareness are pivotal for preserving the website’s security.