Are you aware of the security risk of your WordPress site? Over one million installations of the popular WordPress plugin Essential Addons for Elementor could be at risk due to a serious security vulnerability. Attackers:inside get the opportunity to take control of your WordPress instance through this vulnerability.
In this article, we would like to give you an overview of the discovered vulnerability and explain how you can protect yourself against it. Read on and learn everything you need to know about this threatening issue.
Table of contents
Details about the critical vulnerability
Essential Addons for Elementor has more than a million installations, making it one of the most widely used WordPress plugins. IT experts have now uncovered a significant security vulnerability that allows unregistered attackers to completely compromise a WordPress instance. A corrected version of the plugin is now available.
Version 5.7.2 has been published on the plugin's website. Users of the Essential Addon for Elementor should install it immediately. The identified vulnerability allows elevation of system privileges without prior authentication (CVE-2023-32243, CVSS 9.8, risk "critical"). This vulnerability affects all plugin versions from 5.4.0 up to and including 5.7.1.
Danger from Essential Addons for Elementor
In the detailed analysis Patchstack's IT experts discovered that the plugin has a security vulnerability. It allows any non-authenticated user to extend their rights to any user of the WordPress website.
It is thus possible to reset the password of any user, provided that the user name is known. Attackers are thus able to reset the administrator's password and log in to his account. The vulnerability arises because the password reset function does not validate an associated key, but directly changes the password of the affected user, as Patchstack employees further explain.
Dealing with the discovered security vulnerability
The IT experts go into detail in their analysis and discuss the vulnerability including code snippets. The developers of the plugin reacted to the report of the vulnerability within only three days and fixed it: The vulnerability was reported on Monday, and the updated plugin was available as early as Thursday. IT managers with a vulnerable WordPress installation should install this update immediately.
Already previous security issues with WordPress plugins
Back in April, a security vulnerability classified as high-risk was discovered in the WordPress plugin Elementor Pro actively exploited by attackers. They were able to gain administrative access to WordPress websites. It is therefore crucial to stay up-to-date with the latest security updates to protect yourself from such threats.
Conclusion and recommendations for action
The discovery of this significant vulnerability in Essential Addons for Elementor highlights the importance of regular updates and constant checking of installed plugins. If you are using the affected plugin, install the update to version 5.7.2 immediately to protect your WordPress instance. IT managers are urged to continuously monitor and keep the security of their WordPress installations up to date.
If you prefer to have this work done and supervised by a professional team, our WordPress maintenance service available.