A newly discovered vulnerability in the Essential Addons for Elementor plugin exposes over one million WordPress websites to attacks aimed at gaining unauthorized access to user accounts with elevated privileges.
Cybersecurity experts at Patchstack described a new vulnerability (CVE-2023-32243) in an advisory published Thursday.
“This plugin contains an unauthenticated privilege escalation vulnerability that allows an unauthenticated user to elevate privileges to the privileges of any user on a WordPress site,” the technical document states. .
Patchstack further stated that the vulnerability could allow an attacker to reset a user’s password simply by knowing the username, thereby gaining unauthorized access to user accounts, including those with administrative privileges. Did.
Read more about Elementor vulnerabilities: Elementor fixes critical bug in popular WordPress plugin
“This vulnerability occurs because this password reset functionality does not validate the password reset key and directly changes the password for the specified user,” Patchstack wrote.
The company said the flaw was resolved in version 5.7.2, released May 11, just days after Patchstack contacted the plugin vendor on May 8.
“We have detected that a third party has accessed vulnerability information and published an issue through monitoring changelogs, so we have decided to disclose the vulnerability early,” the advisory reads.
At the same time, Patchstack notes that while patches address specific vulnerabilities that have been identified, software can have multiple vulnerabilities, and new ones may emerge in the future. clarified.
To this end, system administrators should implement additional security practices such as access controls, nonce checks, and utilize features such as check_password_reset_key to verify the validity and expiration of password reset keys to ensure secure ensure a robust password reset process.
The latest advisory from Patchstack comes months after security experts urged users of the popular WordPress plugin to update their installations immediately.
Editorial image credit: monticello / Shutterstock.com
