One of the most popular WordPress plugins, Essential Addons for Elementor, was found to be vulnerable to an unauthenticated privilege escalation that allowed attackers to gain administrator rights on the affected website. Essential Addons for Elementor is a library of 90 extensions for the popular Elementor page builder, which is used by over 1 million websites.
On May 8, 2023, the vulnerability was discovered by PatchStack and was assigned the identifier CVE-2023-32243. It was reported to facilitate privilege elevation without authentication and was related to the password reset feature in the plugin, affecting versions 5.4.0 to 5.7.1.
According to the researchers, “[Using this vulnerability] it is possible to reset the password of any user if their username is known, and this allows us to reset the password of the site administrator and gain access to their account.” The vulnerability occurs because the password reset feature does not validate the password reset key, but instead directly changes the password for a specific user.
Exploiting this vulnerability can have serious consequences, such as unauthorized access to private information, defacement or deletion of the site, and the spread of malware among site visitors, which can have devastating effects on site owners.
As explained in the PatchStack report, an attacker would need to set the POST page_id and widget_id to a random value to prevent the plugin from generating an error message that might alert the site administrator. Additionally, the attacker must provide the correct nonce value in the eael-resetpassword-nonce parameter in order to confirm the password reset request and set a new password in the eael-pass1 and eael-pass2 parameters.
The researchers noted that “At the moment, the main question is how we can get the nonce value for essential-addons-elementor.” It turns out that the nonce value is present on the main page of the WordPress site interface, as set in the $this->localize_objects variable by the load_commnon_asset function. Therefore, if the rp_login parameter is set to a valid username, it is possible to change the target user’s password to a new one provided by the attacker, effectively giving the attacker control of the account.
The vulnerability has been addressed with the release of Essential Addons for Elementor version 5.7.2. All plugin users are now advised to update to the latest version as soon as possible.
