The vulnerability in the Essential Addons for Elementor WordPress plugin has caused the security of over a million WordPress sites to be compromised. The exploitation of the critical vulnerability started immediately after a patch had been released, with WordPress security firm Defiant warning users of Essential Addons for Elementor to update their installations as soon as possible. The flaw tracked as CVE-2023-32243, rated with a CVSS score of 9.8, can allow an unauthenticated privilege escalation with hackers being able to take over any user account from the administrator. Security researchers have quickly identified the flaw and provided the solution for a passreplace reset function that changes the password of any user account without validating a password reset key first.
**A Critical Vulnerability in the WordPress Plugin**
Patchstack security researcher Rafie Muhammad was the first one to identify and report the critical vulnerability in the Essential Addons for Elementor WordPress plugin. The flaw can be exploited by hackers for unauthenticated privilege escalation and take over the account of any user. The password reset function can change the password of any user account without validating a password reset key, and an attacker could exploit the bug to reset the password of any user account if they know the email or username of that user.
**Exploitation and Attacks on the Plugin**
As soon as the patch was released, the exploitation of the critical vulnerability in the Essential Addons for Elementor WordPress plugin escalated rapidly. First exploitation attempts targeting the flaw were observed on May 11 when Essential Addons for Elementor Version 5.7.2 was released. Defiant reported that in the past 24 hours, 151 attacks targeting the vulnerability had been recorded.
**Mitigation and User Recommendations**
WordPress website administrators should ensure that they have updated Essential Addons for Elementor plugin to Version 5.7.2 to mitigate the risk of attack. They should also check and ensure that they have installed the necessary WordPress security plugins for optimized website protection. WordPress website administrators and users are advised to prioritize website protection measures and carry out regular maintenance and security checks to mitigate the risks of future attacks and ensure that users’ data is safe and secure.
In conclusion, the recent critical vulnerability discovered in the Essential Addons for Elementor WordPress plugin highlights the constant need for WordPress website administrators to ensure they are up to date with the latest security measures. The increasing number of attacks targeting vulnerabilities in plugins used in WordPress installations is a threat. Defiant warns that the number of attacks is rapidly increasing. To protect its users, WordPress needs to regularly review and improve its security measures to continue reducing the risk of attacks.
<< photo by Justin Morgan >>
