{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2023-029.pdf" }, "title": "Critical Privilege Escalation in Wordpress Elementor Plugin", "serial_number": "2023-029", "publish_date": "15-05-2023 15:31:34", "description": "A critical security vulnerability (CVSS score: 9.8), tracked as CVE-2023-32243, has been discovered in a popular Wordpress plugin Essential Addons for Elementor. This flaw could allow an attacker to escalate their privileges to that of any user on the WordPress site, as long as they know their username, thus being able to reset the password of the administrator and login on their account.
\nThe vulnerability occurs because the password reset function does not validate a password reset key and instead, directly changes the password of the given user. The issue has been fixed in the latest version of the plugin and it is crucial for website administrators to update to the patched version immediately.
\n", "url_title": "2023-029", "content_markdown": "--- \ntitle: 'Critical Privilege Escalation in\u00a0Wordpress Elementor Plugin' \nversion: '1.0'\nnumber: '2023-029'\noriginal_date: 'May 11, 2023'\ndate: 'May 15, 2023'\n---\n\n_History:_\n\n* _15/05/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\n\nA critical security vulnerability (CVSS score: 9.8), tracked as **CVE-2023-32243**, has been discovered in a popular Wordpress plugin **Essential Addons for Elementor**. This flaw could allow an attacker to escalate their privileges to that of any user on the WordPress site, as long as they know their username, thus being able to reset the password of the administrator and login on their account.\n\nThe vulnerability occurs because the password reset function does not validate a password reset key and instead, directly changes the password of the given user. The issue has been fixed in the latest version of the plugin and it is crucial for website administrators to update to the patched version immediately [1]. \n\n# Technical Details\n\nTo exploit this vulnerability, an attacker would need to set a random value in the `$_POST['page_id']` and `$_POST['widget_id']` variables. This is to prevent displaying an error message that could raise suspicion on the website admin.\n\nThe attacker would also need to set the nonce value on the `$_POST['eael-resetpassword-nonce']` variable. This value can be found in the main front-end page of the WordPress site, where it will be set in the `$this->localize_objects` variable by the `load_commnon_asset` function.\n\nFinally, in order to set the new password, the malicious actor should supply the same password string to `$_POST['eael-pass1']` and `$_POST['eael-pass2']`.\n\nIf all the above conditions are met, the code will construct a `$rp_login` variable from `$_POST['rp_login']`.\n\nThe code will then search for the username value that matches the `$rp_login` variable and construct a `$user` object using the `get_user_by` function. \n\nIf the `$user` object exists and there is no error, the code will directly reset the users\u2019 password using the `reset_password` function.\n\n# Products Affected\n\nThe vulnerability affects the following product:\n\n- Essential Addons for Elementor Plugin versions **5.4.0 to 5.7.1**.\n\n# Recommendations\n\nTo protect your website from this vulnerability, it is strongly recommended that you update the Essential Addons for Elementor plugin to the **5.7.2** version.\n\n# References\n\n[1] \n\n\n\n\n\n\n", "content_html": "

History:

Summary

A critical security vulnerability (CVSS score: 9.8), tracked as CVE-2023-32243, has been discovered in a popular Wordpress plugin Essential Addons for Elementor. This flaw could allow an attacker to escalate their privileges to that of any user on the WordPress site, as long as they know their username, thus being able to reset the password of the administrator and login on their account.

The vulnerability occurs because the password reset function does not validate a password reset key and instead, directly changes the password of the given user. The issue has been fixed in the latest version of the plugin and it is crucial for website administrators to update to the patched version immediately [1].

Technical Details

To exploit this vulnerability, an attacker would need to set a random value in the $_POST['page_id'] and $_POST['widget_id'] variables. This is to prevent displaying an error message that could raise suspicion on the website admin.

The attacker would also need to set the nonce value on the $_POST['eael-resetpassword-nonce'] variable. This value can be found in the main front-end page of the WordPress site, where it will be set in the $this->localize_objects variable by the load_commnon_asset function.

Finally, in order to set the new password, the malicious actor should supply the same password string to $_POST['eael-pass1'] and $_POST['eael-pass2'].

If all the above conditions are met, the code will construct a $rp_login variable from $_POST['rp_login'].

The code will then search for the username value that matches the $rp_login variable and construct a $user object using the get_user_by function.

If the $user object exists and there is no error, the code will directly reset the users\u2019 password using the reset_password function.

Products Affected

The vulnerability affects the following product:

Recommendations

To protect your website from this vulnerability, it is strongly recommended that you update the Essential Addons for Elementor plugin to the 5.7.2 version.

References

[1] https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites/

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }