Essential Addons for Elementor, a plugin with more than a million active installs, has patched an unauthenticated privilege escalation vulnerability in version 5.7.2. The vulnerability was discovered on May 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Critical severity) CVSS 3.1 score and is not yet known to have been exploited.
Muhammad outlined the vulnerability in a security advisory published today:
This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.
It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user.
The plugin’s authors published the patch today, on May 11, with the following note in the changelog:
5.7.2 – 11/05/2023
Improved: EA Login/Register Form for Security Enhancement
Few minor bug fixes & improvements
The vulnerability affects sites using versions 5.4.0 to 5.7.1 of Essential Addons for Elementor. Users are advised to update to the latest version 5.7.2 immediately now that Patchstack has published the proof of concept for exploiting it.
It baffles me that something like this happens. Surely one of the first tasks of a new release of any plugin is the validation and sanitation of the data being entered. This is the third elementor-related issue in three months. I mean we would understand bugs, little issues and incompatibilities I’m sure these releases are no easy task but to get the very basics wrong. It almost seems like it’s on purpose.