Essential Addons for Elementor, a widely used plugin for WordPress, has been found to have a serious vulnerability that could allow remote attackers to gain administrator rights on affected websites.
The flaw, discovered by PatchStack on May 8, 2023, is an unauthenticated privilege escalation vulnerability within the plugin’s password reset functionality, impacting versions 5.4.0 to 5.7.1. By exploiting this flaw, an attacker can reset the password of any user, including the administrator, without proper validation.
The consequences of this vulnerability are significant, as it can lead to unauthorized access to sensitive information, website defacement, distribution of malware to visitors, and damage to the brand’s reputation.
While remote attackers do not need authentication to exploit the flaw, they must know a valid username on the targeted system for the malicious password reset. The attack involves setting random values and providing the correct nonce value to bypass security measures.
PatchStack has provided detailed information on the exploit methodology and recommends immediate action to mitigate the risk. The plugin vendor has addressed the issue in Essential Addons for Elementor version 5.7.2, which has been released to the public.
All users of the plugin are strongly advised to update to the latest version promptly to protect their websites from potential attacks. It is crucial for website administrators to stay vigilant and promptly apply security patches and updates to safeguard their online presence.
