Essential Addons for Elementor Patches Critical Privilege Escalation Vulnerability – WP Tavern
Essential Addons for Elementor, a plugin with greater than 1,000,000 energetic installs, has patched an unauthenticated privilege escalation vulnerability in model 5.7.2. The vulnerability was found on Could 8, 2023, and reported by Patchstack researcher Rafie Muhammad. It was given a 9.8 (Important severity) CVSS 3.1 rating and isn’t but identified to have been exploited.
Muhammad outlined the vulnerability in a security advisory revealed right this moment:
This plugin suffers from an unauthenticated privilege escalation vulnerability and permits any unauthenticated person to escalate their privilege to that of any person on the WordPress website.
It’s doable to reset the password of any person so long as we all know their username thus with the ability to reset the password of the administrator and login on their account. This vulnerability happens as a result of this password reset perform doesn’t validate a password reset key and as a substitute straight modifications the password of the given person.
The plugin’s authors revealed the patch right this moment, on Could 11, with the next notice within the changelog:
5.7.2 – 11/05/2023
Improved: EA Login/Register Kind for Safety Enhancement
Few minor bug fixes & enhancements
The vulnerability impacts websites utilizing variations 5.4.0 to 5.7.1 of Important Addons for Elementor. Customers are suggested to replace to the most recent model 5.7.2 instantly now that Patchstack has published the proof of idea for exploiting it.