A vulnerability has been discovered in Essential Addons for Elementor, a popular WordPress plugin with over one million active installations. The vulnerability, tracked as CVE-2023-32243, allows an unauthenticated attacker to reset the password of any user on the affected site, effectively granting them administrator privileges.
Here’s what we know so far:
What is CVE-2023-32243?
CVE-2023-32243 affects the password reset feature of the Essential Addons plugin in Elementor. The flaw arises from the absence of password reset key validation, allowing the direct modification of a user’s password without proper verification. As a consequence, an attacker can exploit this weakness to reset the password of any user on the affected website, even without knowledge of the user’s current password.
Does it affect me?
If you are using Essential Addons for Elementor, you are potentially affected by this vulnerability. The vulnerability affects versions 5.4.0 up to and including 5.7.2 of Essential Addons for Elementor. If you are using a version of the plugin that is affected by this vulnerability, you are at risk of being attacked.
Has CVE-2023-32243 been actively exploited in the wild?
Yes, there is evidence that CVE-2023-32243 has been actively exploited in the wild. Security researchers have observed attackers using the vulnerability to gain administrator access to WordPress sites.
Fixing CVE-2023-32243
The developer of Essential Addons for Elementor has released a security update that fixes CVE-2023-32243. To fix the vulnerability, you should update Essential Addons for Elementor to version 5.7.2 or higher. You can download the latest version of the plugin from the WordPress Plugin Directory.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- VulnRX – vulnerability fix database
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- OWASP Top 10 vulnerabilities 2022: what we learned
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.