CVE-2023-32243: Critical Bug Found in WordPress Plugin With More Than 1 million Installations

Boasting over a million active installations, Essential Addons for Elementor is the go-to plugin for many WordPress users, empowering their Elementor page-building experience with more than 90 creative elements and extensions. Yet, in this ocean of features and add-ons, lurks a high-risk vulnerability that compromises the security of WordPress sites globally.

The grave security flaw, tracked as CVE-2023-32243, with a CVSS score of 9.8, is an unauthenticated privilege escalation vulnerability. This means any unauthenticated user can elevate their privilege to mirror that of any user on the WordPress site. The implications are dire: malicious actors can reset the password of any user, including administrators, as long as they know the username or email.

Peeling back the layers, researcher Rafie Muhammad from Patchstack finds that this vulnerability stems from a lack of password reset key validation. The flawed function directly alters the password of the specified user, bypassing any need for verification. This loophole was sealed in version 5.7.2, but the damage was done.

The discovery of the CVE-2023-32243 vulnerability started with the inspection of the `init` hook located in the `register_hooks` function. When this function triggers the `login_or_register_user` function, it performs several checks and calls the corresponding function. The vulnerability is rooted in the `reset_password` function.

includes/Classes/Bootstrap.php

// Login | Register

add_action('init', [$this, 'login_or_register_user']);

includes/Traits/Login_Registration.php

public function login_or_register_user() {

    do_action( 'eael/login-register/before-processing-login-register', $_POST );

    // login or register form?

    if ( isset( $_POST['eael-login-submit'] ) ) {

        $this->log_user_in();

    } else if ( isset( $_POST['eael-register-submit'] ) ) {

        $this->register_user();

    } else if ( isset( $_POST['eael-lostpassword-submit'] ) ) {

        $this->send_password_reset();

    } else if ( isset( $_POST['eael-resetpassword-submit'] ) ) {

        $this->reset_password();

    }

    do_action( 'eael/login-register/after-processing-login-register', $_POST );



}

To exploit the vulnerability, an attacker first needs to set random values in `$_POST[‘page_id’]` and `$_POST[‘widget_id’]` to avoid triggering an error message. The attacker also needs to set `$_POST[‘eael-resetpassword-nonce’]` as the nonce value will be verified in the code. To reset the password, the attacker needs to supply the same password string to `$_POST[‘eael-pass1’]` and `$_POST[‘eael-pass2’]`.

With these conditions met, the attacker can construct a `$rp_login` variable from `$_POST[‘rp_login’]` and use the `get_user_by` function to construct a `$user` object by searching for a username that matches the `$rp_login` variable. If the `$user` object exists and there are no errors, the code will directly reset the user’s password using the `reset_password` function.

The final piece of the puzzle involves the `essential-addons-elementor` nonce value. This value is present in the main front-end page of the WordPress site, set in the `$this->localize_objects` variable by the `load_commnon_asset` function. The function is then called from `init_hook` and set as a function handler of the `wp_enqueue_scripts` hook, which displays all of the enqueued scripts and styles.

Note that this vulnerability could be triggered on a default installation or configuration of the Essential Addons for Elementor plugin.

Users of the Essential Addons for Elementor plugins (versions 5.7.1 and below) are strongly encouraged to update to version 5.7.2 to safeguard their websites from this vulnerability.