A security vulnerability has been detected in Essential Addons for Elementor, a widely utilized WordPress plugin with over one million active installations. This specific flaw, identified as CVE-2023–32243, allows an unauthorized attacker to reset the password for any user on the affected website, providing them with administrator privileges.
Upon conducting a thorough examination of CVE-2023–32243, it was found to impact the password reset feature of the Essential Addons plugin integrated with Elementor. The vulnerability arises from the lack of validation for password reset keys, enabling the direct modification of a user’s password without proper verification. Consequently, even in the absence of knowledge regarding a user’s current password, an attacker can exploit this vulnerability to reset the password for any user on the compromised website.
Essential Addons for Elementor is a WordPress addon/plugin designed to enhance its functionality. Unfortunately, this plugin harbors a security vulnerability that empowers unauthorized individuals to elevate their privileges to match those of any user on the WordPress site, all without the need for authentication.
With knowledge of a user’s username, an attacker can reset their password and gain unauthorized access to their account. This vulnerability stems from the absence of password reset key validation in the password reset function, directly modifying the password for the specified user.
To address this issue, the vulnerability has been resolved in version 5.7.2 of the plugin. The fix involves implementing proper validation of the reset key within the password reset function, effectively mitigating the risk of privilege escalation. The identifier CVE-2023–32243 has been assigned to this vulnerability.
How to leverage this security flaw?
To exploit this vulnerability, it is imperative to have a prearranged setup containing the precise version of the vulnerable component. To evaluate the vulnerability, it is crucial to establish a native WordPress installation and incorporate the susceptible Elementor addon. Furthermore, a Python script, accessible for duplication on GitHub, is indispensable for executing the testing procedure.
Step 1: Retrieve the WordPress application and deploy it on the XAMPP Server.
Step 2: After finalizing the WordPress configuration, our subsequent task involves acquiring the essential component.Specifically, we need to acquire ‘Essential Addons for Elementor — version 5.7.1′ from the following website: https://wordpress.org/plugins/essential-addons-for-elementor-lite/advanced/. As seen in the screenshot below, the desired version is not available in the dropdown menu. Therefore, we must download the required version from the archived section by constructing the URL with the desired version. You can simply download it from this link: https://downloads.wordpress.org/plugin/essential-addons-for-elementor-lite.5.7.1.zip.
Step 3: Extract the downloaded file and place it in the ‘htdocs > wordpress > wp-content > plugins’ directory on the XAMPP Server.
Step 4: Access the administrative portal of the hosted WordPress site, and then go to the plugins section. Proceed to activate the plugin marked as version 5.7.1.
Step 5: Once the WordPress website has been prepared with a plugin that has security vulnerabilities, the next step is to execute our exploit. In order to achieve this, we intend to duplicate a particular exploit accessible on GitHub. The specific exploit we are replicating is located at the following source: https://github.com/RandomRobbieBF/CVE-2023-32243.
Step 6: After duplicating the repository, proceed to install the specified requirements listed in the requriements.txt file, ensuring compliance with plagiarism checks.
Step 7: To promptly initiate our strategy, let’s verify the functionality of the password for our administrative portal.
Step 8: After conducting testing, we found that the current login credentials for the admin portal are set to admin/admin. Now let’s run the exploit by entering the command:
python3 exploit.py — url http://localhost/wordpress/ –password “Hacked_Pass”. Note that an attacker alters the password to the preferred password.
Step 9: Now, let’s verify if the modified password functions correctly or not.
Step 10: Verification was successful, and we were able to demonstrate the impact of CVE-2023–32243
The vulnerability has been addressed in plugin releases 5.7.2, with the latest stable version being 5.8.0. It is strongly recommended to upgrade all elements to the most recent stable iteration to mitigate any potential threats of a similar kind.
In conclusion
the identified security vulnerability (CVE-2023–32243) in Essential Addons for Elementor presented a critical risk by allowing unauthorized attackers to reset passwords and gain administrator privileges on affected WordPress websites. This flaw stemmed from a lack of validation in the password reset feature, enabling the direct modification of user passwords without proper verification.
The developers promptly addressed this issue in version 5.7.2 of the plugin by implementing proper validation of the reset key within the password reset function. This crucial update effectively mitigated the risk of privilege escalation.
To exploit the vulnerability for testing purposes, a specific setup was required, including the vulnerable version of the Essential Addons plugin (version 5.7.1). The process involved downloading and installing the plugin on a WordPress site, activating the vulnerable version, and executing a provided Python script from GitHub.
To prevent potential threats, users are strongly advised to upgrade to the latest stable version of the Essential Addons for Elementor plugin (version 5.8.0). This upgrade ensures that the security vulnerability is fully mitigated, and the WordPress site is protected against similar risks.
In summary, vigilance in keeping software components up to date is crucial for maintaining the security of WordPress websites. Users are encouraged to promptly apply the latest updates and patches to minimize the risk of exploitation and ensure a secure online presence.
Credit@CQR
Linkedin:- sandeepvishwakarma1
For personalize training Contact : [email protected]