Cyber Security News

WordPress Plugin Flaw Let Attackers Hijack 1m Websites

The widely-used Elementor plugin, “Essential Addons for Elementor,” has been discovered to have a security flaw that enables unauthorized users to gain administrative control, potentially impacting millions of WordPress websites.

PatchStack recently uncovered a critical unauthenticated privilege escalation vulnerability, tracked as CVE-2023-32243, in versions 5.4.0 to 5.7.1 of the Elementor plugin “Essential Addons for Elementor,” enabling potential attackers to reset passwords and gain unauthorized access to administrator accounts.


A Flaw in Essential Addons for Elementor

The vulnerability arises from the lack of password reset key validation, allowing direct modification of a user’s password without proper authentication.

This critical vulnerability (CVE-2023-32243) presents severe repercussions such as unauthorized data access, website tampering, malware dissemination, trust loss, and legal compliance issues. Still, a malicious password reset requires knowledge of a targeted system’s username.

To avoid suspicion, the attacker must input random values for ‘page_id’ and ‘widget_id’ while also providing the correct nonce value (‘eael-resetpassword-nonce’) to validate the password reset request and set a new password (‘eael-pass1’ and ‘eael-pass2’) in the exploit process.

PatchStack highlights the availability of the essential-add-ons-element or nonce value on the WordPress site’s front-end page, as it is stored in the $this->localize_objects variable by the load_commnon_asset function. With a valid username set on the ‘rp_login’ parameter, the attacker can effectively gain control of the targeted user’s account by changing their password.

The security firm suggests that the plugin vendor effectively addressed the issue by implementing a function to validate the presence and legitimacy of password reset keys in reset requests, releasing the fix in Essential Addons for Elementor version 5.7.2, urging all users to update to the latest version promptly.

The vendor addressed the vulnerability by implementing a simple patch, utilizing the ‘eael_resetpassword_rp_data_*’ value to verify the password reset process, as the code directly reset a user password without proper verification of the reset key’s authenticity.


Disclosure timeline

Here below, we have mentioned the complete disclosure timeline:-

  • 08 May, 2023 – We found the vulnerability and contacted the plugin vendor.
  • 11 May, 2023 – Essential Addons for Elementor version 5.7.2 was published to patch the reported issues.
  • 11 May, 2023 – Added the vulnerabilities to the Patchstack vulnerability database.

To ensure the secure execution of certain actions in WordPress, it’s crucial to implement access control and nonce checks and utilize the check_password_reset_key function, especially for login, registration, password reset/recovery, and database interaction.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

Guru Baran

Guru is an Ex-Security Engineer at Comodo Cybersecurity. Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Cryptojacking Campaign Infected Online Thesaurus With Over 5 Million Visitors

Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize…

1 day ago

Gold Melody Attacking Organizations With Burp Extension, Mimikatz, and Other Tools

The financially motivated GOLD MELODY threat group has been active at least since 2017, attacking…

2 days ago

MOVEit Transfer SQL Injection Let the Attacker Gain Unauthorized Access to the Database

MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2)…

2 days ago

LUCR-3 Attacking Fortune 2000 Companies Using Victims’ Own Tools & Apps

A new financially motivated threat group named “LUCR-3” has been discovered targeting organizations to steal…

2 days ago

Is QakBot Malware Officially Dead?

Only a few malware families can claim to have persisted for nearly twenty years, and…

3 days ago

System Admin Pleads Guilty for Selling Pirated Business Phone Software Licenses

For taking part in a large international scheme to earn millions of dollars by selling pirated…

3 days ago