Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability

Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been exploited.

Muhammad outlined the vulnerability in a security advisory published today:

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. 

The plugin’s authors published the patch today, on May 11, with the following note in the changelog:

5.7.2 – 11/05/2023
Improved: EA Login/Register Form for Security Enhancement
Few minor bug fixes & improvements

The vulnerability affects sites using versions 5.4.0 to 5.7.1 of Essential Addons for Elementor. Users are advised to update to the latest version 5.7.2 immediately now that Patchstack has published the proof of concept for exploiting it.


4 responses to “Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability”

  1. It baffles me that something like this happens. Surely one of the first tasks of a new release of any plugin is the validation and sanitation of the data being entered. This is the third elementor-related issue in three months. I mean we would understand bugs, little issues and incompatibilities I’m sure these releases are no easy task but to get the very basics wrong. It almost seems like it’s on purpose.

    • It’s not on purpose, but plenty of plugin developers appear to either not care about security or are unable to handle it properly. WordPress could take steps to address that, unfortunately the team running the Plugin Directory has been hostile to working with others to address problems like this. It probably isn’t helped that all the current members of that team work for companies or the owners of companies that haven’t been handling the security of their own plugins all that well. And that half the team works for someone who also sells security solutions, including data on vulnerabilities in WordPress plugins.

    • Speaking of Elementor, it also received a security update yesterday, which addressed several vulnerability issues caused by a lack of proper access controls. Unfortunately, the developer didn’t fully address the issue. We contacted their security team over two weeks ago about another instance of that, but the only response we got back was asking about a subscription to Elementor Pro.

  2. Essential Addons for Elementor could have chosen here to ask the security team to push a fix to vulnerable sites, but they haven’t. It’d be interesting to know why not.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: