Exploitation of a critical vulnerability in the Essential Addons for Elementor WordPress plugin began immediately after a patch was released, WordPress security firm Defiant warns.
With over one million installations, the Essential Addons for Elementor plugin provides additional elements and extensions for the Elementor website building platform.
Tracked as CVE-2023-32243 (CVSS score of 9.8), the critical-severity vulnerability is described as an unauthenticated privilege escalation that can be exploited to take over any user account.
“It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account,” explains Patchstack security researcher Rafie Muhammad, who identified the flaw.
The issue exists in a password reset function that changes the password of any user account without validating a password reset key first.
An unauthenticated attacker could exploit the bug to reset the password of any user account if they know the email or username of that user.
The vulnerability impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1 and was addressed this week with the release of version 5.7.2.