Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerability in WordPress Elementor Plugin
Alerts

Critical Vulnerability in WordPress Elementor Plugin

15 May 2023

WordPress has released security updates to address a critical vulnerability (CVE-2023-32243) in their Essential Addons for Elementor plugin. The vulnerablity has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful exploitation of the unauthenticated privilege escalation vulnerability could allow unauthenticated attackers to reset the password of any user on a vulnerable site if they have the email or username of the targeted account, potentially gaining administrator rights to the site.

The vulnerability affects versions 5.4.0 to 5.7.1, inclusive, of the plugin.

Users and administrators of affected plugin versions are advised to upgrade to the latest versions immediately.

More information is available here:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/essential-addons-for-elementor-lite/essential-addons-for-elementor-571-unauthenticated-arbitrary-password-reset-to-privilege-escalation

https://plugins.trac.wordpress.org/changeset/2910988/essential-addons-for-elementor-lite/tags/5.7.2/includes/Traits/Login_Registration.php

https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites/

https://nvd.nist.gov/vuln/detail/CVE-2023-32243

Back to top