‘Essential Addons for Elementor’ plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

The described vulnerability was fixed in version 5.7.2 and assigned CVE-2023-32243.

“[By exploiting the flaw] It is possible to reset the password of any user as long as we know their username, thus being able to reset the password of the administrator and login on their account,” reads PatchStack’s bulletin.

“This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.”

(Un)conditional password reset

As PatchStack explains in its report, the attacker needs to set a random value in the POST ‘page_id’ and ‘widget_id’ inputs so that the plugin does not produce an error message that could raise suspicion on the website admin.

The attacker must also provide the correct nonce value on the ‘eael-resetpassword-nonce’ to validate the password reset request and set a new password on the ‘eael-pass1’ and ‘eael-pass2’ parameters.

“At this point the question is perhaps how we can get our hands on the essential-addons-elementor nonce value,” explains PatchStack.

“Turns out that this nonce value is present in the main front-end page of the WordPress site since it will be set in the $this->localize_objects variable by the load_commnon_asset function:”

Assuming that a valid username has been set on the ‘rp_login’ parameter, the code will change the password for the targeted user to the new one provided by the attacker, essentially giving them control of the account.

READ
Chinese State Hackers Allegedly Breached US Wiretap Systems
Buy Me A Coffee

Patching this problem was straightforward, comments the security firm, as the plugin vendor had to add a function that checks if a password reset key is present and legitimate in the reset requests.

The described vulnerability was fixed in version 5.7.2.