Critical Privilege Escalation Vulnerability in Essential Addons for Elementor Plugin Affecting Over One Million Sites

Introduction

A severe vulnerability has been detected in Essential Addons for Elementor (from 5.4.0 through 5.7.1), a WordPress plugin with over one million active installations. This flaw was patched on May 11, 2023, but due to its severity, we believe it’s essential to raise awareness and ensure all affected users have applied the patch.

Details of the Vulnerability

The vulnerability, cataloged as CVE-2023-32243, is of critical severity with a CVSS score of 9.8. The flaw exists in versions of the Essential Addons for Elementor plugin up to and including 5.7.1.

The vulnerability allowed unauthenticated users to reset arbitrary user passwords, including those of accounts with administrative-level access. This made it possible for attackers to compromise any account on a website running a vulnerable version of the plugin, effectively granting them administrative privileges and full control over the website.

How the Vulnerability is Exploited

The exploit is relatively simple to carry out. WordPress does not consider usernames to be sensitive information, making it easy for attackers to enumerate a site looking for valid usernames. The reset_password function in the affected plugin versions did not adequately validate password reset requests, so an attacker could supply a valid username and, by obtaining a valid nonce from the site’s homepage and inputting random data for the remaining fields, reset the user’s password in one simple request.

Once an attacker gained access as an administrator, they could perform actions like installing plugins and backdoors, posing a significant threat to the security of the site, its server, and its visitors.

Mitigation and Recommendations

It is crucial for all users of Essential Addons for Elementor to update to the fully patched version 5.7.2 as soon as possible to protect their sites. Users should also ensure their WordPress installations are up-to-date and monitor their sites for any unusual activity, such as failed login attempts or new administrator accounts.

Additionally, users are advised to refrain from using common default usernames like ‘admin,’ as these are often targeted by attackers.

Conclusion

This vulnerability in Essential Addons for Elementor emphasizes the importance of rigorous website security measures. Regular updates to plugins and WordPress, the use of unique and robust usernames and passwords, and continuous monitoring are fundamental steps in safeguarding your site. Importantly, users employing Malware.Expert’s ModSecurity rules are protected against this vulnerability. Such robust security solutions, like those offered by Malware.Expert, remain an integral part of a comprehensive defense strategy, providing invaluable protection against potential threats.