WordPress plugins allow organizations to quickly extend the functionality of their websites without requiring any coding or advanced technical skills. But they have also been the biggest source of risk for website operators in recent years.
PatchStack researchers discovered that the vulnerability, CVE-2023-32243 (CVSS score: 9.8, Critical), exists in the Essential Addons for Elementor plugin’s password reset functionality and could allow an unauthenticated attacker to perform privilege escalation.
The code for resetting user passwords does not properly check if the password reset key is present and legitimate. This means that a remote attacker could exploit the issue to reset the password of any existing user on the system, as long as they know the user’s username.
Patchstack counted 4,528 new vulnerabilities in WordPress plugins in 2022 alone, a startling 328% increase over the 1,382 it observed in 2021.
Request to upgrade to version 5.7.2.Users of Essential Addons for Elementor are advised to update to the latest version of the plugin as soon as possible to protect their WordPress websites from the security vulnerability.