Over one million WordPress websites have been affected by a critical privilege escalation vulnerability in a plugin called Essential Addons for Elementor Plugin. The vulnerability, known as CVE-2023-32243, affects versions 5.4.0 through 5.7.1 of the plugin and allows an unauthenticated attacker to escalate privileges to that of any user on the WordPress site, including that of an administrator.
The vulnerability was discovered by researchers at Patchstack on May 8 and disclosed to WPDeveloper, the author of Essential Addons for Elementor. WPDeveloper responded by releasing a new version of the software, version 5.7.2, on May 11, which addressed the bug. The vendor described the new version as featuring a security enhancement in the login and register form for the software.
According to Patchstack, the vulnerability has to do with Essential Addons’ code resetting passwords without validating if the associated password reset keys are present and legitimate. This offers a way for an unauthenticated attacker to reset any user’s password on an affected WordPress site and access their account.
Essential Addons for Elementor Plugin is just one of thousands of vulnerabilities that researchers have uncovered in WordPress plugins in recent years. In 2022 alone, Patchstack counted 4,528 new vulnerabilities in WordPress plugins, a 328% increase over the 1,382 it observed in 2021. Plugins accounted for 93% of the reported bugs in the WordPress environment last year. Just 0.6% of confirmed bugs were in the core WordPress platform itself. Some 14% of the bugs were of either high or critical severity.
The trend has continued this year, with iThemes, a company that tracks WordPress plugin flaws on a weekly basis, counting 160 vulnerabilities just in the one-week period ending April 26. The bugs affected some 8 million WordPress websites, and only 68 of them had patches at vulnerability disclosure time.
Just last week, Patchstack reported on another privilege escalation vulnerability in a different WordPress plugin (Advanced Custom Fields Plugins) that affected two million websites. The vulnerability gave attackers a way to both steal sensitive data from affected sites as well as escalate privileges on them.
In April, Sucuri reported on a campaign dubbed “Balada Injector,” where a threat actor has been systematically injecting malware into WordPress sites via vulnerable plugins for at least the past five years. The security vendor assessed the threat actor behind the campaign had infected at least one million WordPress sites with malware that redirected site visitors to fake tech support sites, fraudulent lottery sites, and other scam sites.
Sucuri found the threat actor using newly disclosed vulnerabilities and, in some instances, zero-day bugs to launch massive attack waves against WordPress sites. A lot of the attacker interest in the WordPress ecosystem has to do with its widespread use. Estimates on the exact number of WordPress sites worldwide vary widely, with some pegging the number at upwards of 800 million. Technology survey website W3Techs, which some consider a reliable source for WordPress-related statistics, estimates that some 43% of all websites worldwide currently use WordPress.
Despite the growing number of vulnerabilities being reported in the WordPress ecosystem, Patchstack suggests that this isn’t necessarily a sign that plugin developers are getting sloppier. Rather, it indicates that security researchers are looking harder, and more of these security bugs are being addressed and patched.
The WordPress ecosystem is becoming more secure, thanks to the efforts of security researchers and plugin developers. However, website operators must still exercise caution when using WordPress plugins and ensure that they keep their software up-to-date to avoid falling victim to looming threats.