WordPress Elementor contains a bug that poses a catastrophic security threat. The vulnerability affects over 1 million WordPress sites and can expose private information or even cause site deletion.
This week BleepingComputer reported that “Essential Addons for Elementor”, one of WordPress’s most popular Elementor plugins, was found to be vulnerable to an unauthenticated privilege escalation. This allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site – including that of admin.
The affected plugin supports the Elementor page-building solution with 90+ creative elements and extensions. This plugin adds power to the page builder using easy-to-use components. These elements are designed to enhance and simplify WordPress page and post design. An estimated one million WordPress sites worldwide use the plugin.
This latest bug follows a series of vulnerabilities discovered last month that affected both Elementor and Elementor Pro.
CVE-2023-32243 patched
The current vulnerability, which has been assigned the tracking code CVE-2023-32243, was discovered by Patchstack on May 8, 2023.
Hackers that exploit this vulnerability are able to reset the password of any user. That is to say, as long as they know their username. In such an instance, they can reset the password of the administrator and login to their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the given user’s password.
The described vulnerability impacts versions 5.4.0 to 5.7.1 of the plugin but was fixed in version 5.7.2, which was released on May 11. Patching this problem was straightforward, Patchstack says. The plugin vendor only had to add a function that checks if a password reset key is present and legitimate in the reset requests.
Immediate action needed
Those with the Essential Addons for Elementor plugin installed should upgrade to the new version as soon as possible. The vulnerability described here poses significant threats. Potential dangers include unauthorized access to private information, website defacement or deletion, malware distribution to visitors, and brand repercussions such as loss of trust and legal compliance problems.
Patchstack also recommends that users pay extra attention to anything that is related to the login, registration and password reset/recovery process. “We highly recommend utilizing the check_password_reset_key function to check for the reset password key”, they warn.