- Feb 27, 2014
- 16,530
- 22,287
On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.
Over the past few days we’ve seen millions of probing attempts for the plugin’s readme.txt file, which are likely to be attackers probing for the presence of the plugin to build a target site exploit list, along with over 6,900 blocked exploit attempts. Our attack data is limited due to the fact that the rule only triggers if the plugin is installed on a site with a vulnerable version, but a programmatic exploit was made public on Github on May 14th. This is the type of vulnerability that tends to see widespread attacks due to a combination of a large install base, ease of exploitation, and severity of impact, and we anticipate that exploit attempts will only ramp up from here.
Wordfence Premium, Care, and Response customers received a firewall rule the same day the issue was disclosed on May 11, 2023. Wordfence free users will receive that same protection 30 days later on June 20, 2023. Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability.
Affected Plugin: Essential Addons for Elementor
Plugin Slug: essential-addons-for-elementor-lite
Affected Versions: <= 5.7.1
CVE ID: CVE-2023-32243
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Rafie Muhammed
Fully Patched Version: 5.7.2
The vulnerability patched in Essential Addons for Elementor allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin. This was due to the fact that the reset_password function did not adequately validate a password reset request with a password reset key, so attackers could simply supply a valid username, obtain a valid nonce from the site’s homepage, input random data for the remaining fields, and reset the supplied users password to whatever they chose in one simple request.
WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames. Additionally, site owners often forget to change the default username making it possible for attackers to use common default usernames such as ‘admin.’ This makes it much easier for attackers to uncover valid accounts that they can compromise in order to elevate their privileges on the site. Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors to further infect the site, server, and any unsuspecting visitors.
Source:
https://www.wordfence.com/threat-intel/vulnerabilities/researchers/rafie-muhammad
Over the past few days we’ve seen millions of probing attempts for the plugin’s readme.txt file, which are likely to be attackers probing for the presence of the plugin to build a target site exploit list, along with over 6,900 blocked exploit attempts. Our attack data is limited due to the fact that the rule only triggers if the plugin is installed on a site with a vulnerable version, but a programmatic exploit was made public on Github on May 14th. This is the type of vulnerability that tends to see widespread attacks due to a combination of a large install base, ease of exploitation, and severity of impact, and we anticipate that exploit attempts will only ramp up from here.
Wordfence Premium, Care, and Response customers received a firewall rule the same day the issue was disclosed on May 11, 2023. Wordfence free users will receive that same protection 30 days later on June 20, 2023. Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability.
Vulnerability Details
Description: Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege EscalationAffected Plugin: Essential Addons for Elementor
Plugin Slug: essential-addons-for-elementor-lite
Affected Versions: <= 5.7.1
CVE ID: CVE-2023-32243
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Rafie Muhammed
Fully Patched Version: 5.7.2
The vulnerability patched in Essential Addons for Elementor allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin. This was due to the fact that the reset_password function did not adequately validate a password reset request with a password reset key, so attackers could simply supply a valid username, obtain a valid nonce from the site’s homepage, input random data for the remaining fields, and reset the supplied users password to whatever they chose in one simple request.
WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames. Additionally, site owners often forget to change the default username making it possible for attackers to use common default usernames such as ‘admin.’ This makes it much easier for attackers to uncover valid accounts that they can compromise in order to elevate their privileges on the site. Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors to further infect the site, server, and any unsuspecting visitors.
Source:
https://www.wordfence.com/threat-intel/vulnerabilities/researchers/rafie-muhammad