Date: 5/6/2023 | Prepared by: Jason Trapp, DFIR Analyst
This alert aims to bring attention to a critical vulnerability identified in WPDeveloper’s Essential Addons for Elementor for WordPress1. This vulnerability is being tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-32243.
The National Institute of Standards and Technology (NIST) has rated CVE-2023-32243 a 9.8/10 on the Common Vulnerability Scoring System (CVSS). This issue affects organisations utilising Essential Addons for Elementor versions 5.4.0 up to and including 5.7.1.
The Triskele Labs Digital Forensics and Incident Response (DFIR) team has observed and responded to the successful exploitation of this vulnerability.
Essential Addons for Elementor is one of the most used plugins on WordPress. As stated on the plugin webpage2, there are over one (1) million active installations.
Anyone with an active Internet connection and access to the script can exploit this vulnerability. At the time of writing, several Proof of Concept (POC) scripts are available online.
The impact of exploitation is that a Threat Actor can reset passwords on any account on the WordPress site.
As a result, it has been observed by Triskele Labs that Threat Actors have uploaded webshells and scripts that allow them to retrieve database passwords allowing them to crack the passwords offline as well as for persistent access.
Additionally, it was observed that Threat Actors uploaded their own plugins, which would allow the Threat Actor to exploit in future.
Depending on the Threat Actor, website defacement can be a result of successful exploitation. Hidden redirect links are often embedded into JavaScript code throughout the website to redirect random users to third-party sites to simulate an advertisement clicked by the user to generate revenue.
This could also redirect users to sites looking to harvest personal data.
This vulnerability is actively being exploited in the wild3 as reported by WordFence, which has, at the time of writing, blocked 6900 exploitation attempts.
This vulnerability affects all versions between 5.4.0 and 5.7.1 of Essential Addons for Elementor for WordPress.
The vulnerability is exploited by targeting the reset_password function, which does not validate the password reset request. A Threat Actor is only required to supply a valid username, and this will allow them to obtain a valid nonce, fill in the other fields with random data, and then enter any password. Changing the usernames to random strings will not help mitigate this vulnerability, as usernames are trivial to enumerate.
An unauthenticated user can exploit this vulnerability. The target user account password does not need to be known. User interaction is not required for this vulnerability to be exploited.
As exploitation scripts are publicly available, successfully exploiting this vulnerability against a vulnerable platform is trivial.
Triskele Labs recommends that the Essential Addons for Elementor is updated to the latest version. The following URL lists the relevant update articles for the affected plugin:
Additional mitigation actions that can be taken include:
These mitigation strategies are not substitutes for patching the vulnerability. These should be implemented to complement the patch as Defence in Depth measures or in the case that a patch cannot be immediately applied.
The Triskele Labs DefenceShield Security Operations Centre (SOC) monitors suspicious activity for Managed Detection and Response (MDR) clients. DefenceShield Monitor clients with Security Information and Event Management (SIEM) agents deployed to endpoints running Microsoft Outlook will detect exploitation of this vulnerability.
Triskele Labs are performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices in client networks.
1 https://nvd.nist.gov/vuln/detail/CVE-2023-32243
2 https://wordpress.org/plugins/essential-addons-for-elementor-lite/