Critical Security Flaw Leaves Over a Million WordPress Websites Vulnerable
Researchers at website security and monitoring platform Patchstack have recently discovered a severe security flaw in the popular WordPress plugin Essential Addons for Elementor. This vulnerability has left more than a million WordPress websites at an alarming risk of hijack attacks that could give cybercriminals escalated permissions on the compromised sites.
The security flaw, tracked as CVE-2023-32243, could wreak havoc in the vast WordPress ecosystem, which powers an estimated 40% of the internet. As one of the most popular plugins, Essential Addons for Elementor has an extensive user base, making this vulnerability potentially catastrophic.
By exploiting this security loophole, cybercriminals can gain elevated permissions on a site, opening a Pandora’s box of illicit possibilities. These include unauthorized access to sensitive user data, defacement of website content, and even more severe outcomes like the total hijack of a site.
“This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site,” reads Patchstack’s security advisory. “It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.”
Reportedly, the vulnerability has existed since version 5.4.0 of the popular plugin. All users of Essential Addons for Elementor are urged to immediately update to the latest version, 5.7.1, to shield their websites from hijacking.
While the security flaw has been fixed, the incident highlights the daunting challenges of ensuring robust website security in a rapidly evolving digital landscape.
As the dust settles on this discovery, it serves as a wake-up call to all website managers about the need to consistently implement the latest security practices, particularly timely plugin updates, to guarantee their sites’ security.