Exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin began immediately after a patch was released, WordPress security firm Defiant warns.
With over one million installations, the Essential Addons for Elementor plugin provides additional elements and extensions for the Elementor website building platform.
Tracked as CVE-2023-32243 (CVSS score of 9.8), the critical-severity vulnerability is described as an unauthenticated privilege escalation that can be exploited to take over any user account.
“It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account,” explains Patchstack security researcher Rafie Muhammad, who identified the flaw.
The issue exists in a password reset function that changes the password of any user account without validating a password reset key first.
An unauthenticated attacker could exploit the bug to reset the password of any user account if they know the email or username of that user.
The vulnerability impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1 and was addressed this week with the release of version 5.7.2.
The patch adds a check to the password reset function to validate the reset password process.
Muhammad identified and reported the vulnerability on May 8. The first exploitation attempts targeting this bug were observed on May 11, when Essential Addons for Elementor version 5.7.2 was released.
“Wordfence blocked 151 attacks targeting this vulnerability in the past 24 hours,” Defiant notes in an advisory. It’s worth noting that the number of attacks seen by Defiant is rapidly increasing.
Essential Addons for Elementor users are advised to update their installations as soon as possible.
Related: Vulnerability in Field Builder Plugin Exposes Over 2M WordPress Sites to Attacks
Related: Abandoned WordPress Plugin Abused for Backdoor Deployment
Related: Elementor Pro Plugin Vulnerability Exploited to Hack WordPress Websites