The Essential Addons for Elementor plugin, which has more than a million installations, adds new components and extensions to the Elementor website builder. The critical-severity vulnerability, identified as CVE-2023-32243 (CVSS score of 9.8), is described as an unauthenticated privilege escalation that can be used to take control of any user account. According to Patchstack security researcher Rafie Muhammad, who discovered the flaw, “It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account.”
There is a problem with a password reset feature that alters the password for any user account without first verifying a password reset key. If a non-authenticated attacker knows a user’s username or email address, they can use the bug to reset that user’s password.
Version 5.7.2 of the Essential Addons for Elementor was released this week to address the vulnerability, which affects versions 5.4.0 to 5.7.1. The patch updates the password reset feature to include a check that verifies the reset password procedure. Muhammad discovered and reported the flaw on May 8. On May 11, when Essential Addons for Elementor version 5.7.2 was released, the first attempts at exploiting this bug were noted. 151 attacks aimed at this vulnerability were stopped by Wordfence in the last 24 hours, according to a Defiant advisory.
It’s important to note that Defiant is seeing a sharp rise in the number of attacks. Users of essential add-on add-ons for Elementor are urged to update their installations right away.