One of WordPress’s most popular Elementor plugins, “Essential Addons for Elementor,” was found to be vulnerable to an unauthenticated privilege escalation that could allow remote attacks to gain administrator rights on the site.Essential Addons for Elementor is a library of 90 extensions for the ‘Elementor’ page builder, used by over one million WordPress sites.The flaw, which PatchStack discovered on May 8, 2023, is tracked as CVE-2023-32243 and is an unauthenticated privilege escalation vulnerability on the plugin’s password reset functionality, impacting versions 5.4.0 to 5.7.1.”[By exploiting the flaw] It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account,” reads PatchStack’s bulletin.”This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.”
Source: WordPress Elementor plugin bug let attackers hijack accounts on 1M sites
