Essential Addons for Elementor, one of the most popular Elementor plugins, was found to be vulnerable to an unauthenticated privilege escalation bug. This bug lets hackers perform remote attacks to gain administrator rights
PatchStack discovered this bug on May 8, 2023, and the bug is tracked as CVE-2023-32243. The bug impacts the plugin’s versions 5.4.0 to 5.7.1. The bug was fixed and the version 5.7.2 with fixes was published on 11 May 2023.
The bug lets reset the password of any user as long as they know their usernames. So, attackers can reset the password of the administrator and then login into their account.
“It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user,” reads the Patchstack blog post about the vulnerability.
The bug is really serious and can be used to get unauthorized access to private information, website defacement or deletion, malware distribution, or more.
Patchstack wrote a detailed blog post with explanation of how this bug works and how it allowed attackers to perform the attack.
If you use this Elementor plugin, you need to update the plugin as soon as possible.