Sunday, December 10, 2023

WordPress Plugin Flaw Let Attackers Hijack 1m Websites

The widely-used Elementor plugin, “Essential Addons for Elementor,” has been discovered to have a security flaw that enables unauthorized users to gain administrative control, potentially impacting millions of WordPress websites.

PatchStack recently uncovered a critical unauthenticated privilege escalation vulnerability, tracked as CVE-2023-32243, in versions 5.4.0 to 5.7.1 of the Elementor plugin “Essential Addons for Elementor,” enabling potential attackers to reset passwords and gain unauthorized access to administrator accounts.

Elementor

A Flaw in Essential Addons for Elementor

The vulnerability arises from the lack of password reset key validation, allowing direct modification of a user’s password without proper authentication.

This critical vulnerability (CVE-2023-32243) presents severe repercussions such as unauthorized data access, website tampering, malware dissemination, trust loss, and legal compliance issues. Still, a malicious password reset requires knowledge of a targeted system’s username.

To avoid suspicion, the attacker must input random values for ‘page_id’ and ‘widget_id’ while also providing the correct nonce value (‘eael-resetpassword-nonce’) to validate the password reset request and set a new password (‘eael-pass1’ and ‘eael-pass2’) in the exploit process.

PatchStack highlights the availability of the essential-add-ons-element or nonce value on the WordPress site’s front-end page, as it is stored in the $this->localize_objects variable by the load_commnon_asset function. With a valid username set on the ‘rp_login’ parameter, the attacker can effectively gain control of the targeted user’s account by changing their password.

The security firm suggests that the plugin vendor effectively addressed the issue by implementing a function to validate the presence and legitimacy of password reset keys in reset requests, releasing the fix in Essential Addons for Elementor version 5.7.2, urging all users to update to the latest version promptly.

The vendor addressed the vulnerability by implementing a simple patch, utilizing the ‘eael_resetpassword_rp_data_*’ value to verify the password reset process, as the code directly reset a user password without proper verification of the reset key’s authenticity.

Vulnerability

Disclosure timeline

Here below, we have mentioned the complete disclosure timeline:-

  • 08 May, 2023 – We found the vulnerability and contacted the plugin vendor.
  • 11 May, 2023 – Essential Addons for Elementor version 5.7.2 was published to patch the reported issues.
  • 11 May, 2023 – Added the vulnerabilities to the Patchstack vulnerability database.

To ensure the secure execution of certain actions in WordPress, it’s crucial to implement access control and nonce checks and utilize the check_password_reset_key function, especially for login, registration, password reset/recovery, and database interaction.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Website

Latest articles

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress...

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email...

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles