Critical Privilege Escalation in Essential Addons for Elementor Plugin Affecting 1+ Million Sites

gregmcc

gregmcc

Honorary Master
Joined
Jun 29, 2006
Messages
28,087
Reaction score
8,657
Location
Somewhere in the world
patchstack.com

1+ Million Sites Affected by Critical Privilege Escalation Vulnerability in Essential Addons for Elementor Plugin

This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2. Patchstack Developer and Business plan users are protected from the vulnerability. You can also sign up for the...
patchstack.com patchstack.com

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. The described vulnerability was fixed in version 5.7.2 and assigned CVE-2023-32243.
Click to expand...
 
If you run Wordpress with Elementor you need to patch now. This bug is being actively exploited. Just had an alert on one of my websites that my password was changed due to this.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter