One of the most popular Elementor addon plugins in WordPress, “Essential Addons for Elementor” has been found to have a critical privilege escalation flaw that allows an attacker to reset a password if they know the user’s username. The vulnerability is being tracked as CVE-2023-32243 and has been fixed in version 5.7.2 of the plugin.
The root cause of this issue, discovered by researchers at Patchstack, is that the source code doesn’t check if the password reset key is present and legitimate during the reset process and directly changes the password of a given user instead. This means that as long as the attacker knows the user’s username, they can go ahead and trigger a password change on their behalf.
It’s located in the reset_password function which based on official commits only showed up with version 5.4.0. There are a set of conditions that need to be met in order for the password to be reset, but they’re not exactly difficult.
The $_post[‘page_id’] and $_page[‘widget_id’] need to be set to a random value so that an error isn’t generated. The $_post[‘eael-resetpassword-nonce’] value can be found in the main front-end page of the website as it’s set in the localize_objects function which eventually gets called by the init_hook and last but not least, the $_POST[‘eael-pass1’] and $_POST[‘eael-pass2’] simply require the new password strings. If all these conditions are code constructs a $user object using the get_user_by function to search for the required username and changes the password.
The vulnerability can be exploited on a default installation or configuration of the plugin. Thankfully, since the major problem was the password key not being validated, the patch was also relatively simple. The developer now uses the eael_resetpassword_rp_data_* value configured in the eael_redirect_to_reset_password function to validate the password reset process now.
In the News: Google will send an alert if your email is found on the dark web