The widely-used Elementor plugin, “Essential Addons for Elementor,” has been discovered to have a security flaw that enables unauthorized users to gain administrative control, potentially impacting millions of WordPress websites.
PatchStack recently uncovered a critical unauthenticated privilege escalation vulnerability, tracked as CVE-2023-32243, in versions 5.4.0 to 5.7.1 of the Elementor plugin “Essential Addons for Elementor,” enabling potential attackers to reset passwords and gain unauthorized access to administrator accounts.
The vulnerability arises from the lack of password reset key validation, allowing direct modification of a user’s password without proper authentication.
This critical vulnerability (CVE-2023-32243) presents severe repercussions such as unauthorized data access, website tampering, malware dissemination, trust loss, and legal compliance issues. Still, a malicious password reset requires knowledge of a targeted system’s username.
To avoid suspicion, the attacker must input random values for ‘page_id’ and ‘widget_id’ while also providing the correct nonce value (‘eael-resetpassword-nonce’) to validate the password reset request and set a new password (‘eael-pass1’ and ‘eael-pass2’) in the exploit process.
PatchStack highlights the availability of the essential-add-ons-element or nonce value on the WordPress site’s front-end page, as it is stored in the $this->localize_objects variable by the load_commnon_asset function. With a valid username set on the ‘rp_login’ parameter, the attacker can effectively gain control of the targeted user’s account by changing their password.
The security firm suggests that the plugin vendor effectively addressed the issue by implementing a function to validate the presence and legitimacy of password reset keys in reset requests, releasing the fix in Essential Addons for Elementor version 5.7.2, urging all users to update to the latest version promptly.
The vendor addressed the vulnerability by implementing a simple patch, utilizing the ‘eael_resetpassword_rp_data_*’ value to verify the password reset process, as the code directly reset a user password without proper verification of the reset key’s authenticity.
Here below, we have mentioned the complete disclosure timeline:-
To ensure the secure execution of certain actions in WordPress, it’s crucial to implement access control and nonce checks and utilize the check_password_reset_key function, especially for login, registration, password reset/recovery, and database interaction.
Struggling to Apply The Security Patch in Your System? –
Try All-in-One Patch Manager Plus
Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize…
The financially motivated GOLD MELODY threat group has been active at least since 2017, attacking…
MOVEit transfer service pack has been discovered with three vulnerabilities associated with SQL injections (2)…
A new financially motivated threat group named “LUCR-3” has been discovered targeting organizations to steal…
Only a few malware families can claim to have persisted for nearly twenty years, and…
For taking part in a large international scheme to earn millions of dollars by selling pirated…