Critical Vulnerability in WordPress Elementor Plugin

Published on 15 May 2023

WordPress has released security updates to address a critical vulnerability (CVE-2023-32243) in their Essential Addons for Elementor plugin. The vulnerablity has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the unauthenticated privilege escalation vulnerability could allow unauthenticated attackers to reset the password of any user on a vulnerable site if they have the email or username of the targeted account, potentially gaining administrator rights to the site.

The vulnerability affects versions 5.4.0 to 5.7.1, inclusive, of the plugin.

Users and administrators of affected plugin versions are advised to upgrade to the latest versions immediately.

More information is available here:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/essential-addons-for-elementor-lite/essential-addons-for-elementor-571-unauthenticated-arbitrary-password-reset-to-privilege-escalation

https://plugins.trac.wordpress.org/changeset/2910988/essential-addons-for-elementor-lite/tags/5.7.2/includes/Traits/Login_Registration.php

https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites/

https://nvd.nist.gov/vuln/detail/CVE-2023-32243

Tags
Alerts Alerts & Advisories
Share