Critical Privilege Escalation in Essential Addons for Elementor Plugin Affecting 1+ Million Sites

This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version 5.7.2.

The security vulnerability in Essential Addons for Elementor

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. The described vulnerability was fixed in version 5.7.2 and assigned CVE-2023-32243.

To read the full story go here