Numerous websites at risk: Significant security vulnerability in the widely used WordPress plugin Essential Addons for Elementor

Are you aware of the security risk of your WordPress site? Over a million installations of the popular WordPress plugin Essential Addons for Elementor could be at risk due to a serious security vulnerability. This vulnerability gives attackers the opportunity to take control of your WordPress instance. In this article we would like to give you an overview of the security vulnerability discovered and explain how you can protect yourself against it. Read on and find out everything you need to know about this threatening topic.

Details about the critical vulnerability

Essential Addons for Elementor has more than a million installations, making it one of the most popular WordPress plugins. IT experts have now uncovered a significant security vulnerability that allows unregistered attackers to completely compromise a WordPress instance. A corrected version of the plugin is now available. Version 5.7.2 has been published on the plugin’s website. Users of the Essential Addons for Elementor should install them immediately. The identified vulnerability allows escalation of system privileges without prior authentication (CVE-2023-32243, CVSS 9.8, risk “critical”). This vulnerability affects all plugin versions from 5.4.0 up to and including 5.7.1.

Danger from Essential Addons for Elementor

In the detailed analysis Patchstack’s IT experts discovered that the plugin had a security hole. It allows any unauthenticated user to extend their own rights to those of any user of the WordPress website. It is therefore possible to reset the password of any user as long as their username is known. This gives attackers the opportunity to reset the administrator’s password and log into their account. The gap arises because the password reset function does not validate an associated key, but directly changes the password of the affected user, as Patchstack employees further explain.

Dealing with the discovered security vulnerability

The IT experts go into detail in their analysis and discuss the security gap, including code snippets. The developers of the plugin responded to the report of the vulnerability and fixed it within just three days: The security vulnerability was reported on Monday and the updated plugin was available on Thursday. IT managers with a vulnerable WordPress installation should install this update immediately.

Previous security issues with WordPress plugins

Back in April, a security hole in the WordPress plugin Elementor Pro that was classified as high risk was discovered actively exploited by attackers. This enabled them to gain administrative access to WordPress websites. So, it is crucial to stay up to date with the latest security updates to protect yourself from such threats.

Conclusion and recommendations for action

The discovery of this significant security flaw in Essential Addons for Elementor highlights the importance of regular updates and constant checking of installed plugins. If you use the affected plugin, immediately install the update to version 5.7.2 to protect your WordPress instance. IT managers are urged to continually monitor the security of their WordPress installations and keep them up to date. If you would prefer to have this work carried out and monitored by a professional team, ours is at your disposal WordPress maintenance service available.