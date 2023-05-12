Security researchers have found a serious flaw in the popular WordPress plugin, Essential Addons for Elementor.

This plugin is a library consisting of 90 different extensions for the Elementor page builder, and it has been installed on over a million WordPress sites.

Cybersecurity firm, PatchStack, discovered a flaw in the plugin which could have allowed hackers to take full control of a targeted website.

The vulnerability, tracked as CVE-2023-32243, is an unauthenticated privilege escalation flaw that affects all versions from 5.4.0 up to 5.7.1.

Hackers could easily reset the password of an admin account using the password reset functionality, and gain control of the entire website.

Once attackers take control of a website, they can steal sensitive information, engage in identity theft, distribute malware, and engage in ad fraud.

To exploit this flaw, attackers need to know the username of the system’s admin and set a random value in POST ‘page_id’ and ‘widget_id’ inputs.

Additionally, they must provide the correct nonce value on the ‘eael-resetpassword-nonce’ as that validates the password reset and sets a new password on the ‘eael-pass1’ and ‘eael-pass2’ parameters.

The flaw has since been patched, and users are urged to update to version 5.7.2 of Essential Addons for Elementor.