One Million WordPress Websites Impacted by Exploited Plugin Vulnerability

Exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin began immediately after a patch was released, WordPress security firm Defiant warns.

With over one million installations, the Essential Addons for Elementor plugin provides additional elements and extensions for the Elementor website building platform.

Tracked as CVE-2023-32243 (CVSS score of 9.8), the critical-severity vulnerability is described as an unauthenticated privilege escalation that can be exploited to take over any user account.

“It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account,” explains Patchstack security researcher Rafie Muhammad, who identified the flaw.

The issue exists in a password reset function that changes the password of any user account without validating a password reset key first.

An unauthenticated attacker could exploit the bug to reset the password of any user account if they know the email or username of that user.

The vulnerability impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1 and was addressed this week with the release of version 5.7.2.

The patch adds a check to the password reset function to validate the reset password process.

Muhammad identified and reported the vulnerability on May 8. The first exploitation attempts targeting this bug were observed on May 11, when Essential Addons for Elementor version 5.7.2 was released.

“Wordfence blocked 151 attacks targeting this vulnerability in the past 24 hours,” Defiant notes in an advisory. It’s worth noting that the number of attacks seen by Defiant is rapidly increasing.

Essential Addons for Elementor users are advised to update their installations as soon as possible.

– SECURITYWEEK

Related posts

Latest WSO2 API Management Products Help Enterprises to Manage AI APIs, Maximize Developer Productivity, and Future-Proof Their Deployments

JLL Falcon kicks off new era of AI-powered CRE innovation

Pure Storage Simplifies Cloud Migrations for Enterprise-scale VMware Environments on Microsoft Azure

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More