Are you using the Essential Addons for Elementor WordPress plugin? Time to update the plugin as it has experienced vulnerabilities that could allow malicious attackers to run arbitrary code on your website.
WPScan, a security site, was the first one to discover and report this vulnerability in the Essential Addons for Elementor plugin. According to the security site:
“The plugin does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques.“
The vulnerability was then announced on the United States National Vulnerability Database on February 1.
According to the site, the vulnerabilities in the plugin have made it possible for attackers to launch a local file intrusion attack which allows an attacker to cause a WordPress installation to reveal sensitive information and read arbitrary files. From there, it could lead to more serious attacks, such as attacks that could run arbitrary code on a WordPress site and cause a lot of damage, which includes a full site takeover.
According to WPScan that first reported the vulnerability, the issues were fixed in the 5.0.5 version of the plugin. However, the plugin changelog for the Lite version of the plugin states that version 5.0.6 is fixing an additional data sanitization today (February 2, 2022)
To protect your site, it is best to update to at least the 5.0.6 version of the plugin.
The WPScan Vulnerability report can be read here