A newly discovered vulnerability in the Essential Addons for Elementor plugin has put more than a million WordPress websites at risk of attacks aimed at gaining unauthorized access to elevated user accounts.
Cybersecurity experts at Patchstack described the new vulnerability (CVE-2023-32243) in an advisory published Thursday.
“This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to elevate their privileges to those of any user on the WordPress site,” the white paper says.
Patchstack further explained that by exploiting this vulnerability, attackers could reset any user’s password simply by knowing their username, thereby gaining unauthorized access to user accounts, including those with administrative privileges.
Learn more about Elementor vulnerabilities: Elementor fixes critical bug in popular WordPress plugin
“This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the given user’s password,” Patchstack wrote.
The company clarified that the flaw was fixed in version 5.7.2, released on May 11, just days after Patchstack contacted the plugin vendor on May 8.
“Because we have detected that third parties have gained access to information about the vulnerability by monitoring the changelog and have made the issue public, we have decided to disclose the vulnerability early,” the notice says.
At the same time, Patchstack clarified that while the patch addresses the specific vulnerability that was identified, the software may have multiple vulnerabilities and new vulnerabilities may emerge in the future.
To this end, system administrators should implement additional security practices such as access control, nonce checks, and use functions such as check_password_reset_key, which checks the validity and expiration of a password reset key , ensuring secure password reset processes.
Patchstack’s recent warning comes months after security experts urged users of a popular WordPress plugin to immediately update their installations.
Editorial Image Credit: monticello / Shutterstock.com
Recently, a critical plugin flaw has been discovered by security researchers which has exposed more than one million WordPress websites. The vulnerability stems from the Essential Addons plugin, a popular WordPress plugin used to customize website layouts, add contact forms, and more. If exploited, the flaw could allow attackers to take control of vulnerable WordPress sites.
Ikaroa, a full stack tech company, is advising WordPress website owners to ensure they are regularly patching their sites, as well as monitoring their websites for any suspicious activity. In addition, Ikaroa recommends running website security monitoring and scanning services to detect any issues early, and to ensure that no future vulnerabilities can be exploited.
The WordPress Security team has released a patch for the plugin, and users of the plugin should update as soon as possible. Additionally, WordPress site owners should confirm that the plugin is still being actively maintained, as older, uninmaintained plugins can be prone to vulnerabilities.
Thankfully, new security protocols and processes are being set in place by various providers, such as Ikaroa, to ensure WordPress sites remain secure. By leveraging innovative technologies and expertise, companies like Ikaroa can provide more comprehensive security features and controls that would otherwise be difficult to deploy using manual, conventional processes.
While no website is ever 100% secure, taking these key steps can help ensure that WordPress sites are as secure as possible, and that any future vulnerabilities can be quickly detected and dealt with. If you own a WordPress site, contact Ikaroa today and start taking your website security seriously.