Saturday, February 8, 2025
HomeCyber Security NewsWordPress Plugin Flaw Let Attackers Hijack 1m Websites

WordPress Plugin Flaw Let Attackers Hijack 1m Websites

Published on

SIEM as a Service

Follow Us on Google News

The widely-used Elementor plugin, “Essential Addons for Elementor,” has been discovered to have a security flaw that enables unauthorized users to gain administrative control, potentially impacting millions of WordPress websites.

PatchStack recently uncovered a critical unauthenticated privilege escalation vulnerability, tracked as CVE-2023-32243, in versions 5.4.0 to 5.7.1 of the Elementor plugin “Essential Addons for Elementor,” enabling potential attackers to reset passwords and gain unauthorized access to administrator accounts.

Elementor

A Flaw in Essential Addons for Elementor

The vulnerability arises from the lack of password reset key validation, allowing direct modification of a user’s password without proper authentication.

This critical vulnerability (CVE-2023-32243) presents severe repercussions such as unauthorized data access, website tampering, malware dissemination, trust loss, and legal compliance issues. Still, a malicious password reset requires knowledge of a targeted system’s username.

To avoid suspicion, the attacker must input random values for ‘page_id’ and ‘widget_id’ while also providing the correct nonce value (‘eael-resetpassword-nonce’) to validate the password reset request and set a new password (‘eael-pass1’ and ‘eael-pass2’) in the exploit process.

PatchStack highlights the availability of the essential-add-ons-element or nonce value on the WordPress site’s front-end page, as it is stored in the $this->localize_objects variable by the load_commnon_asset function. With a valid username set on the ‘rp_login’ parameter, the attacker can effectively gain control of the targeted user’s account by changing their password.

The security firm suggests that the plugin vendor effectively addressed the issue by implementing a function to validate the presence and legitimacy of password reset keys in reset requests, releasing the fix in Essential Addons for Elementor version 5.7.2, urging all users to update to the latest version promptly.

The vendor addressed the vulnerability by implementing a simple patch, utilizing the ‘eael_resetpassword_rp_data_*’ value to verify the password reset process, as the code directly reset a user password without proper verification of the reset key’s authenticity.

Vulnerability

Disclosure timeline

Here below, we have mentioned the complete disclosure timeline:-

  • 08 May, 2023 – We found the vulnerability and contacted the plugin vendor.
  • 11 May, 2023 – Essential Addons for Elementor version 5.7.2 was published to patch the reported issues.
  • 11 May, 2023 – Added the vulnerabilities to the Patchstack vulnerability database.

To ensure the secure execution of certain actions in WordPress, it’s crucial to implement access control and nonce checks and utilize the check_password_reset_key function, especially for login, registration, password reset/recovery, and database interaction.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...