Attackers Exploit WordPress Elementor Plugin Bug, Compromising 1 Million Sites

A critical vulnerability has been discovered in the widely-used “Essential Addons for Elementor” plugin for WordPress, allowing attackers to gain unauthorized access to administrator accounts on over one million sites.

Essential Addons for Elementor is a popular library of 90 extensions designed for the ‘Elementor’ page builder, utilized by a vast number of WordPress websites.

The security flaw, identified by PatchStack on May 8, 2023, is assigned CVE-2023-32243. It is an unauthenticated privilege escalation vulnerability that specifically affects versions 5.4.0 to 5.7.1 of the plugin, particularly impacting the password reset functionality.

PatchStack’s advisory states, “By exploiting this flaw, an attacker can reset the password of any user, including the administrator, by simply knowing their username. This enables unauthorized login and potential misuse of the compromised account.”

The consequences of this vulnerability are severe, including unauthorized access to sensitive data, website defacement or deletion, distribution of malware to visitors, and damage to the brand’s reputation, trust, and legal compliance.

While exploiting the CVE-2023-32243 flaw does not require authentication, the attacker must possess knowledge of a valid username in order to carry out the malicious password reset.

Password Reset Exploit Unveiled

According to PatchStack’s report, the attacker must manipulate the POST inputs ‘page_id’ and ‘widget_id’ by inserting random values. This prevents the plugin from generating error messages that could raise suspicion among website administrators.

Furthermore, the attacker needs to supply the correct nonce value in the ‘eael-resetpassword-nonce’ field to validate the password reset request. They also set a new password by providing values for the ‘eael-pass1’ and ‘eael-pass2’ parameters.

PatchStack explains, “To obtain the essential-addons-elementor nonce value, it turns out that this value is present on the main front-end page of the WordPress site.

Once a valid username is set in the ‘rp_login’ parameter, the code will update the password for the targeted user with the one supplied by the attacker, effectively granting them control over the compromised account.

Fixing the Issue

Addressing this vulnerability was a straightforward process, according to PatchStack. The plugin vendor incorporated a function to verify the presence and legitimacy of a password reset key in reset requests.

The fix was implemented in Essential Addons for Elementor version 5.7.2, which was released today. All users of the plugin are strongly advised to upgrade to the latest version without delay.