“Vulnerable Plugin Used by Over 1 Million WordPress Websites Patched to Prevent Critical Exploit”

WordPress is among the most popular content management systems (CMS) in the world, powering over 43% of all websites globally. One reason for its popularity is the ability for organizations to quickly extend the functionality of their websites without requiring any coding or advanced technical skills through the use of plugins. However, plugins have also been the biggest source of risk for website operators in recent years, and the newest example of this is a critical privilege escalation vulnerability in a plugin that over one million WordPress websites use.

The plugin, called Essential Addons for Elementor Plugin, was discovered to have a vulnerability (CVE-2023-32243) affecting versions 5.4.0 through 5.7.1, allowing an unauthenticated attacker to escalate privileges to that of any user on the WordPress site, including an administrator. Researchers at Patchstack discovered the vulnerability on May 8 and disclosed it to WPDeveloper, the author of Essential Addons for Elementor, who released a new version of the software that addresses the bug.

The vulnerability was due to Essential Addons’ code resetting passreplaces without validating if the associated password reset keys are present and legitimate. This provided a way for an unauthenticated attacker to reset the password of any user on an affected WordPress site and login to their account. Essential Addons is just one of thousands of plugins that have been found to have vulnerabilities in recent years, with researchers counting 4,528 new vulnerabilities in WordPress plugins in 2022 alone – a 328% increase over 2021.

Plugins have accounted for 93% of the reported bugs in the WordPress environment in 2022, with only 0.6% of confirmed bugs in the core WordPress platform itself. Some 14% of the bugs were of either high or critical severity. This trend has continued in 2022, with iThemes tracking 160 vulnerabilities in just the one-week period ending April 26.

Another recent example of a privilege escalation vulnerability in a different WordPress plugin, Advanced Custom Fields Plugins, affected two million websites. The vulnerability gave attackers a way to both steal sensitive data from affected sites and escalate privileges on them.

These vulnerabilities have resulted in countless websites being exploited by threat actors over the years. In a campaign dubbed “Balada Injector,” a threat actor has been systematically injecting malware into WordPress sites via vulnerable plugins since at least the past five years. The security firm Sucuri has assessed that the threat actor has infected at least one million WordPress sites with malware that redirected site visitors to fake tech support sites, fraudulent lottery sites, and other scam sites.

Despite these threats, it is important to note that the growing number of vulnerabilities being reported in the WordPress ecosystem isn’t necessarily a sign that plugin developers are getting sloppier – it simply means that security researchers are looking harder. “This also means that the WordPress ecosystem is becoming more secure because a lot more of these security bugs are being addressed and patched,” Patchstack said.

To mitigate the risks associated with WordPress plugins, website operators should prioritize keeping their WordPress installs and plugins up to date, use reputable plugins from developers with a track record of providing code security, and limit access privileges to only those who need it. Additionally, web admins should keep patches and vulnerability disclosures on their radar and act on them as quickly as possible to minimize their website’s vulnerability to attack.