Elementor Plugin Bug Puts 1 Million WordPress Sites at Risk of Account Hijacking

Elementor Plugin Bug Puts 1 Million WordPress Sites at Risk of Account Hijacking

A recently discovered bug in the popular Essential Elementor Addons plugin for WordPress has left up to one million websites vulnerable to potential account hijacking. According to reports, attackers could exploit the vulnerability to take control of user accounts and potentially gain access to sensitive information.

Essential Elementor Addons is a popular plugin used by many WordPress site owners to customize the appearance and functionality of their sites. However, this bug could allow attackers to bypass certain security measures and gain unauthorized access to user accounts.

While the Essential Elementor Addons team has reportedly released a patch to fix the bug, it is crucial that all users of the plugin update to the latest version as soon as possible to ensure the security of their sites. Additionally, it is recommended that users review their site’s security measures and take any necessary steps to further protect their accounts.

If you are a WordPress site owner using the Essential Elementor Addons plugin, it is important to stay informed about potential security vulnerabilities and take proactive steps to protect your site and its users.

A vulnerability has been discovered in “Essential Addons for Elementor,” one of the most popular plugins for WordPress’s Elementor page builder. The flaw, discovered by cybersecurity firm PatchStack on May 8th, 2023, could potentially allow remote attackers to gain administrator privileges on a site through an unauthenticated privilege escalation exploit.

“Essential Addons for Elementor” is a library of 90 extensions used by over one million WordPress sites. The vulnerability, tracked as CVE-2023-32243, affects versions 5.4.0 to 5.7.1 and specifically targets the plugin’s password reset functionality.

WordPress site owners using “Essential Addons for Elementor” are urged to update to the latest version immediately to avoid any potential exploitation of this vulnerability. It is recommended that all WordPress site owners stay informed about potential security threats and take necessary measures to protect their sites and their users’ data.

According to a bulletin by PatchStack, exploiting the recently discovered CVE-2023-32243 vulnerability in “Essential Addons for Elementor” can allow unauthorized password resets of any user, including administrators, without validating a password reset key.

(Un)conditional password reset

By exploiting this flaw, attackers can gain unauthorized access to private information, deface or delete the website, distribute malware to visitors, and damage the website’s reputation and legal compliance.

Although attackers do not need authentication to exploit the vulnerability, they do need to know the username of the targeted system to perform a malicious password reset. The attacker must set a random value in the POST ‘page_id’ and ‘widget_id’ inputs, provide the correct nonce value on the ‘eael-resetpassword-nonce,’ and set a new password on the ‘eael-pass1’ and ‘eael-pass2’ parameters to validate the password reset request.

The nonce value is available in the main front-end page of the WordPress site since it is set in the $this->localize_objects variable by the load_common_asset function. WordPress site owners using “Essential Addons for Elementor” should immediately update to the latest version to mitigate this vulnerability. It is crucial that WordPress site owners remain vigilant about potential security threats and take necessary precautions to secure their websites.

In the event that a valid username is set on the ‘rp_login’ parameter, the vulnerability in “Essential Addons for Elementor” will allow the attacker to change the password for the targeted user to the one provided, effectively granting them control of the account. It is critical that users of the plugin update to the latest version as soon as possible to prevent the exploitation of this vulnerability and the subsequent unauthorized access to their accounts. Regular security checks and best practices are essential to ensure the safety and integrity of WordPress sites and their users’ data.

The popular WordPress plugin, "Essential Addons for Elementor," was found to be vulnerable to an unauthenticated privilege escalation attack that could allow attackers to gain control of targeted accounts on over one million WordPress sites. The vulnerability, tracked as CVE-2023-32243, could result in unauthorized access to private information, website defacement or deletion, malware distribution to visitors, and legal compliance problems. However, the plugin vendor quickly addressed the issue and released a patch in version 5.7.2, which users are encouraged to update to as soon as possible to prevent any potential exploitation. It's crucial for website owners to maintain the latest software and plugin versions and be vigilant about potential security threats.
Part of the PHP that triggers the password reset (PatchStack)

According to the security firm PatchStack, the process of patching the vulnerability in “Essential Addons for Elementor” was uncomplicated. The plugin vendor resolved the issue by adding a function that validates the presence and legitimacy of a password reset key in reset requests.

The patch has been incorporated into the latest version of the plugin, Essential Addons for Elementor version 5.7.2, which was released today. Users of the plugin are advised to update to the latest version immediately to prevent any exploitation of the vulnerability. It is vital to keep all software and plugins up to date to ensure the security and stability of WordPress sites.

Conclusion

The popular WordPress plugin, “Essential Addons for Elementor,” was found to be vulnerable to an unauthenticated privilege escalation attack that could allow attackers to gain control of targeted accounts on over one million WordPress sites. The vulnerability tracked as CVE-2023-32243, could result in unauthorized access to private information, website defacement or deletion, malware distribution to visitors, and legal compliance problems. However, the plugin vendor quickly addressed the issue and released a patch in version 5.7.2, which users are encouraged to update to as soon as possible to prevent any potential exploitation. It’s crucial for website owners to maintain the latest software and plugin versions and be vigilant about potential security threats.

Summary
Elementor Plugin Bug Puts 1 Million WordPress Sites at Risk of Account Hijacking
Article Name
Elementor Plugin Bug Puts 1 Million WordPress Sites at Risk of Account Hijacking
Description
The popular WordPress plugin, "Essential Addons for Elementor," was found to be vulnerable to an unauthenticated privilege escalation attack that could allow attackers to gain control of targeted accounts on over one million WordPress sites. The vulnerability, tracked as CVE-2023-32243, could result in unauthorized access to private information, website defacement or deletion, malware distribution to visitors, and legal compliance problems. However, the plugin vendor quickly addressed the issue and released a patch in version 5.7.2, which users are encouraged to update to as soon as possible to prevent any potential exploitation. It's crucial for website owners to maintain the latest software and plugin versions and be vigilant about potential security threats.
Philipe
Pquko Softwares and Technologies OPC Private Limited
Urbanfilters Private Limited
Publisher Logo

This Post Has 12 Comments

  1. Bess Colosi

    I think other web site proprietors should take this website as an model, very clean and magnificent user friendly style and design, as well as the content. You’re an expert in this topic!

  2. Ashlyn Sperl

    Howdy! I just wish to give an enormous thumbs up for the great information you have got right here on this post. I can be coming again to your weblog for extra soon.

  3. Carson Morro

    An fascinating discussion is value comment. I believe that it is best to write extra on this matter, it may not be a taboo topic but generally persons are not enough to speak on such topics. To the next. Cheers

  4. Serina Areola

    Aw, this is an incredibly nice post. In thought I would like to put in place writing like this moreover – spending time and actual effort to create a good article… but exactly what do I say… I procrastinate alot through no indicates seem to get something accomplished.

  5. Reid Aboshihata

    I’m curious to find out what blog platform you have been working with? I’m having some small security problems with my latest website and I would like to find something more safeguarded. Do you have any solutions?

  6. Janey Tuxbury

    In my opinion, pick up study along with consult beneficial.

  7. Stevie Dellarocco

    Just where maybe you have discovered the source meant for that article? Wonderful studying I have subscribed to your feed.

  8. Yuette Atkeson

    I am typically to blogging and i really appreciate your content regularly. This content has really peaks my interest. I’m going to bookmark your web site and maintain checking for first time information.

  9. Mickie Palakiko

    Many thanks for this advice I was basically checking all Yahoo to discover it!

  10. Pura Olofson

    It’s not that I want to copy your web-site, but I really like the design. Could you tell me which design are you using? Or was it especially designed?

  11. Natasha Barscewski

    what i can say is that abortion is a sin and it should be deemed illegal by all means`

  12. Billie Benner

    Some times its a pain in the ass to read what website owners wrote but this site is very user friendly!

Leave a Reply