Connect with us

Hi, what are you looking for?


Malware & Threats

1 Million WordPress Sites Impacted by Exploited Plugin Vulnerability

Exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin started immediately after a patch was released.

Exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin began immediately after a patch was released, WordPress security firm Defiant warns.

With over one million installations, the Essential Addons for Elementor plugin provides additional elements and extensions for the Elementor website building platform.

Tracked as CVE-2023-32243 (CVSS score of 9.8), the critical-severity vulnerability is described as an unauthenticated privilege escalation that can be exploited to take over any user account.

“It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account,” explains Patchstack security researcher Rafie Muhammad, who identified the flaw.

The issue exists in a password reset function that changes the password of any user account without validating a password reset key first.

An unauthenticated attacker could exploit the bug to reset the password of any user account if they know the email or username of that user.

The vulnerability impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1 and was addressed this week with the release of version 5.7.2.

Advertisement. Scroll to continue reading.

The patch adds a check to the password reset function to validate the reset password process.

Muhammad identified and reported the vulnerability on May 8. The first exploitation attempts targeting this bug were observed on May 11, when Essential Addons for Elementor version 5.7.2 was released.

“Wordfence blocked 151 attacks targeting this vulnerability in the past 24 hours,” Defiant notes in an advisory. It’s worth noting that the number of attacks seen by Defiant is rapidly increasing.

Essential Addons for Elementor users are advised to update their installations as soon as possible.

Related: Vulnerability in Field Builder Plugin Exposes Over 2M WordPress Sites to Attacks

Related: Abandoned WordPress Plugin Abused for Backdoor Deployment

Related: Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.