Security
Headlines
HeadlinesLatestCVEs

Headline

WordPress Elementor Lite 5.7.1 Arbitrary Password Reset

On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. Versions 5.7.1 and below are affected.

Packet Storm
#vulnerability#web#windows#apple#git#wordpress#intel#backdoor#auth#chrome#webkit#sap
Attackers are already exploiting the critical Authentication Bypass Vulnerability in Essential Addons for Elementor.On May 11 2023, Essential Addons for Elementor, a WordPress plugin with over one million active installations, released a patch for a critical vulnerability that made it possible for any unauthenticated user to reset arbitrary user passwords, including user accounts with administrative-level access. This vulnerability was discovered and responsibly disclosed by security researcher Rafie Muhammed.Over the past few days we’ve seen millions of probing attempts for the plugin’s readme.txt file, which are likely to be attackers probing for the presence of the plugin to build a target site exploit list, along with over 6,900 blocked exploit attempts. Our attack data is limited due to the fact that the rule only triggers if the plugin is installed on a site with a vulnerable version, but a programmatic exploit was made public on Github on May 14th. This is the type of vulnerability that tends to see widespread attacks due to a combination of a large install base, ease of exploitation, and severity of impact, and we anticipate that exploit attempts will only ramp up from here.Wordfence Premium, Care, and Response customers received a firewall rule the same day the issue was disclosed on May 11, 2023. Wordfence free users will receive that same protection 30 days later on June 20, 2023. Considering how easily this vulnerability can be successfully exploited, we highly recommend all users of the plugin update ASAP to ensure their site is not compromised by this vulnerability.This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.READ THIS POST ON THE BLOGVulnerability DetailsDescription: Essential Addons for Elementor <= 5.7.1 – Unauthenticated Arbitrary Password Reset to Privilege Escalation Affected Plugin: Essential Addons for Elementor Plugin Slug: essential-addons-for-elementor-liteAffected Versions: <= 5.7.1CVE ID: CVE-2023-32243CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HResearcher/s: Rafie Muhammed Fully Patched Version: 5.7.2The vulnerability patched in Essential Addons for Elementor allowed for attackers to reset passwords for arbitrary accounts on any of the one million WordPress sites running the plugin. This was due to the fact that the reset_password function did not adequately validate a password reset request with a password reset key, so attackers could simply supply a valid username, obtain a valid nonce from the site’s homepage, input random data for the remaining fields, and reset the supplied users password to whatever they chose in one simple request.WordPress doesn’t consider usernames to be sensitive information which means attackers can easily enumerate a site looking for valid usernames. Additionally, site owners often forget to change the default username making it possible for attackers to use common default usernames such as ‘admin.’ This makes it much easier for attackers to uncover valid accounts that they can compromise in order to elevate their privileges on the site. Once the attacker is logged in as an administrator, they have free rein to perform actions like installing plugins and backdoors to further infect the site, server, and any unsuspecting visitors.A Look at the Attack DataPlugin Discovery ProbingThe first interesting trend we noticed is that immediately following the disclosure of the vulnerability on May 11, 2023 readme.txt probing attempts for Essential Addons for Elementor immediately spiked and remained relatively higher than normal over the course of a few days. While there are services that probe installation data for legitimate purposes, we believe this data indicates that attackers began looking for vulnerable sites as soon as the vulnerability was disclosed. Over 5,000,000 readme.txt probs were made just the day after disclosure.readmeprob Top Offending IP Addresses Engaging in Discoveryreadmeprobip Top Offending IP Addresses And Total Number of Exploits BlockedIn the past 5 days, we have blocked over 6,900 attacks with the top attacking IP being 78.128.60.112. We have also detected and blocked a few hundred exploit attempts utilizing the exploit that was released two days ago. Again, our data is limited due to the nature of the WAF rule, however, it’s worth noting that all of the 6,900 requests we blocked would have likely led to site compromises if they did not have Wordfence Premium installed.exploitattempts Indicators of CompromiseOne obvious sign of infection is if a site’s administrator is unable to log in with the correct password as it may have been changed as a result of this vulnerability, and the site is running Essential Addons for Elementor version 5.7.1 or older. We also recommend checking for newly added malicious administrators, as these may have been added to maintain persistence.We have begun tracking infections on sites running a vulnerable version of the plugin, and though no clear pattern has yet emerged, sites running outdated versions of the plugin were already at significantly higher risk of infection than our average user.User Agents- The public exploit uses the following User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299Look for requests in a site’s access log with the following originating IP Addresses:- 78.128.60.112- 23.224.195.51- 212.113.119.6- 193.233.232.243- 91.193.43.151- 51.77.200.137- 2a0e:d602:1:4c8::2- 103.187.5.198- 2a0e:d602:1:bae::2- 103.149.137.18ConclusionIn today’s article, we covered a Critical-severity vulnerability in Essential Addons for Elementor that allows attackers to easily take over websites by resetting the password of any user, including administrators. We have begun tracking attack data for this vulnerability and expect attacks to ramp up as the vulnerability is trivial to exploit, has a wide install base, and is highly impactful, making it incredibly attractive to attackers.Wordfence Premium, Care, and Response customers received protection against this vulnerability via a firewall rule on May 11, 2023, and Wordfence free users will receive the same protection 30 days later on June 20, 2023.Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 5.7.2 in order to maintain normal functionality, as this vulnerability is severe. If you have friends or colleagues running Essential Addons for Elementor, be sure to forward this advisory to them, as hundreds of thousands of sites still remain unprotected and unpatched.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. I’d like to say a special thank you to my colleague Ramuel Gall, Senior Security Researcher at Wordfence, for his assistance on this research and post.

Related news

WordPress Plug-in Used in 1M+ Websites Patched to Close Critical Bug

The privilege escalation flaw is one in thousands that researchers have disclosed in recent years.

CVE-2023-32243: 1+ Million Sites Affected by Critical Privilege Escalation Vulnerability in Essential Addons for Elementor Plugin

Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.

Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack

A security vulnerability has been disclosed in the popular WordPress plugin Essential Addons for Elementor that could be potentially exploited to achieve elevated privileges on affected sites. The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active

Packet Storm: Latest News

Ubuntu Security Notice USN-7089-6