Exploit Code Released for Elementor Plugins Bug

Unauthenticated Privilege Escalation in Essential Addons for Elementor plugin that does not validate the password reset key.

Security Vulnerability in Essential Addons for Elementor
A critical security vulnerability has been disclosed in the popular WordPress Elementor plugins, "Essential Addons for Elementor". The vulnerability, which has been assigned the identifier CVE-2023-32243, allows an attacker to gain elevated privileges on affected sites.

Today, a security expert has released the exploit code for CVE-2023-32243 which unauthenticated user to escalate their privilege to that of any user on the WordPress site. Successful exploitation of the flaw could permit a threat actor to reset the password of any arbitrary user as long as the malicious party is aware of their username. The shortcoming is believed to have existed since version 5.4.0.

The vulnerability is due to a misconfiguration in the way that Essential Addons for Elementor handles authentication. An attacker can exploit this vulnerability by sending a specially crafted request to the plugin's API. Once the vulnerability is exploited, the attacker will be able to execute arbitrary PHP code on the affected site, which could allow them to take complete control of the site.

Patchstack researcher Rafie Muhammad explains in its report, the attacker needs to set a random value in the POST 'page_id' and 'widget_id' inputs so that the plugin does not produce an error message that could raise suspicion on the website admin.

The attacker must also provide the correct nonce value on the 'eael-resetpassword-nonce' to validate the password reset request and set a new password on the 'eael-pass1' and 'eael-pass2' parameters.

The vulnerability has been fixed in Essential Addons for Elementor version 5.7.2, which was released on May 11, 2023. WordPress site administrators who are using Essential Addons for Elementor are urged to update the plugin as soon as possible.

How to update Essential Addons for Elementor

To update Essential Addons for Elementor, follow these steps:

  • Log in to your WordPress dashboard.
  • Go to the Plugins page.
  • Click on the "Installed Plugins" tab.
  • Search for "Essential Addons for Elementor".
  • Click on the "Update Now" button next to the plugin.
  • Click on the "Update" button to confirm the update.

What to do if you are unable to update Essential Addons for Elementor

If you are unable to update Essential Addons for Elementor, you can take the following steps to mitigate the risk of exploitation:

  • Disable Essential Addons for Elementor.
  • Install a security plugin that can block exploit attempts.
  • Monitor your site for signs of compromise.

The security vulnerability in Essential Addons for Elementor is a serious threat to WordPress sites. WordPress site administrators who are using Essential Addons for Elementor are urged to update the plugin as soon as possible. If you are unable to update the plugin, you can take the steps outlined above to mitigate the risk of exploitation.

Read Also
Post a Comment