WordPress Elementor plugin bug let attackers hijack accounts on 1M sites

One of WordPress’s most popular Elementor plugins, “Essential Addons for Elementor,” was found to be vulnerable to an unauthenticated privilege escalation that could allow remote attacks to gain administrator rights on the site.

Essential Addons for Elementor is a library of 90 extensions for the ‘Elementor’ page builder, used by  WordPress sites.

The flaw, which PatchStack discovered on May 8, 2023, is tracked as CVE-2023-32243 and is an unauthenticated privilege escalation vulnerability on the plugin’s password reset functionality, impacting versions 5.4.0 to 5.7.1.

“[By exploiting the flaw] It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account,” reads .

“This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.”

The consequences of this flaw are significant and include unauthorized access to private information, website defacement or deletion, malware distribution to visitors, and brand repercussions such as loss of trust and legal compliance problems.

While remote attackers do not need to authenticate to exploit the CVE-2023-32243 flaw, they need to know a username on the system they are targeting for the malicious password reset.

(Un)conditional password reset

As PatchStack explains in its report, the attacker needs to set a random value in the POST ‘page_id’ and ‘widget_id’ inputs so that the plugin does not produce an error message that could raise suspicion on the website admin.

The attacker must also provide the correct nonce value on the ‘eael-resetpassword-nonce’ to validate the password reset request and set a new password on the ‘eael-pass1’ and ‘eael-pass2’ parameters.

“At this point the question is perhaps how we can get our hands on the essential-addons-elementor nonce value,” explains PatchStack.

“Turns out that this nonce value is present in the main front-end page of the WordPress site since it will be set in the $this->localize_objects variable by the load_commnon_asset function:”

Assuming that a valid username has been set on the ‘rp_login’ parameter, the code will change the password for the targeted user to the new one provided by the attacker, essentially giving them control of the account.

Part of the PHP that triggers the password reset
Part of the PHP that triggers the password reset (PatchStack)

Patching this problem was straightforward, comments the security firm, as the plugin vendor had to add a function that checks if a password reset key is present and legitimate in the reset requests.

The fix was released with Essential Addons for Elementor version 5.7.2, which was made available today. All plugin users are recommended to upgrade to the latest version as soon as possible.