Vulnerability in Essential Addons for Elementor Plugin Allows Hack of Millions of Websites

Essential Addons for Elementor
Written by Emma Davis

One of the most popular WordPress plugins, Essential Addons for Elementor, was vulnerable to an unauthenticated privilege escalation that allowed attackers to gain administrator rights on the vulnerable site.

Let me remind you that we also wrote that Hackers Attack Elementor Pro WordPress Plugin With 11 Million Installs, and also that Developers fixed serious vulnerabilities in WordPress Download Manager.

Additionally, information security specialists reported that Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network.

Essential Addons for Elementor is a library of 90 extensions for the popular Elementor page builder, which is used by over 1,000,000 websites.

The problem was discovered by PatchStack on May 8, 2023. The vulnerability received the identifier CVE-2023-32243. It is reported to help elevate privileges without authentication and is related to the password reset feature in the plugin, affecting versions 5.4.0 to 5.7.1.

[Using this vulnerability] it is possible to reset the password of any person if we know its username, and this allows us to reset the password of the site administrator and log into his account. The vulnerability occurs because the password reset feature does not validate the password reset key, but instead directly changes the password for a specific user.the researchers explain.

The consequences of exploiting such a vulnerability can be significant, ranging from unauthorized access to private information, defacement or deletion of the site, and ending with the spread of malware among site visitors, which can have severe consequences for site owners.

As explained in the PatchStack report, an attacker would need to set the POST page_id and widget_id to a random value so that the plugin does not generate an error message that might make the site administrator suspicious. Also, the attacker must supply the correct nonce value in the eael-resetpassword-nonce parameter in order to confirm the password reset request and set a new password in the eael-pass1 and eael-pass2 parameters.

At the moment the main question is how can we get the nonce value for essential-addons-elementor. It turns out that the nonce value is present on the front page of the WordPress site interface, as it is set in the $this->localize_objects variable by the load_commnon_asset function.the PatchStack researchers write.

Thus, if the rp_login parameter is set to a valid username, it is possible to change the target user’s password to a new one provided by the attacker, effectively giving the attacker control of the account.

Essential Addons for Elementor

The fix for the vulnerability has already been released as part of Essential Addons for Elementor version 5.7.2. All plugin users are now advised to update to the latest version as soon as possible.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply