WordPress Elementor plugin bug let attackers hijack accounts on 1M sites

One of WordPress’s most popular Elementor plugins, “Essential Addons for Elementor,” was found to be vulnerable to an unauthenticated privilege escalation that could allow remote attacks to gain administrator rights on the site.Essential Addons for Elementor is a library of 90 extensions for the ‘Elementor’ page builder, used by over one million WordPress sites.The flaw, which PatchStack discovered on May 8, 2023, is tracked as CVE-2023-32243 and is an unauthenticated privilege escalation vulnerability on the plugin’s password reset functionality, impacting versions 5.4.0 to 5.7.1.”[By exploiting the flaw] It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account,” reads PatchStack’s bulletin.”This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.”

Source: WordPress Elementor plugin bug let attackers hijack accounts on 1M sites


My pronouns are whatever you're comfortable with as long as you speak to me with respect. I'm an Afruikan and Iswa refugee living in Canaan. That's African American expat in Israel in Normalian. I build websites, make art, and assist people in exercising their spirituality. I'm also the king of an ile, Baalat Teva, a group of African spirituality adherents here. Feel free to contact me if you are in need of my services or just want to chat.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • You’ve read the article, now get the t-shirt! :-D