Published May 15, 2023
Author: Ash Khan

Over one million WordPress websites are now vulnerable to attacks. This aims to give unauthorised access to user accounts with elevated privileges. The flaw is due to a newly identified vulnerability in the Essential Addons for Elementor plugin.

 

cyber security website researcher highlighted the new vulnerability (CVE-2023-32243) in an alert released on Thursday.

 

New WordPress plugin vulnerability

This plugin issue is an unauthenticated privilege escalation vulnerability. It allows any unauthenticated user to escalate their privilege to any user on the WordPress site, according to the documentation.

 

The online security website claims that by exploiting this flaw, attackers may change any user’s password only by knowing their username, and obtaining unauthorised access to user accounts, even those with administrative capabilities.

 

Furthermore, the vulnerability is caused by the password reset function’s failure to validate the password reset key. Instead, it updates the supplied user’s password without any intermediate stages.

After the security service website notified the plugin vendor, the problem was fixed in version 5.7.2.

The alert claims, that we discovered that third parties had access to the vulnerability information through monitoring the changelog. Furthermore, we’ve decided to disclose the vulnerability early and made the issue public.

Simultaneously, Patchstack noted that the patch addresses the discovered vulnerability. However, the software may contain many flaws, and additional vulnerabilities may emerge in the future.

 

To that purpose, system administrators should employ extra security measures such as access control and nonce checks. As well as functions such as checking the password reset key, which validates the authenticity and expiration of a password reset key, assuring safe password reset operations.

 

Patchstack warned users to upgrade popular WordPress plugins, months after previous security advice.

WordPress Security tips

Here are some WordPress security tips that you should follow: 

 

  1. Safeguard your login methods.
  2. Use secure WordPress hosting.
  3. The WordPress version must be updated.
  4. Upgrade to the newest PHP version.
  5. Install one or more security plug-ins.
  6. Use a safe WordPress theme.
  7. Configure SSL/HTTPS.
  8. Put up a firewall.
  9. Back up your website.
  10. Conduct frequent WordPress security checks.
  11. Filter out special characters from user input.
  12. Limit WordPress user rights.
  13. Utilise WordPress monitoring.
  14. Record user activities.
  15. Modify the default WordPress login URL.
  16. Turn off file editing in the WordPress dashboard.
  17. Alter the prefix of your database files.
  18. Disable the xmlrpc.php file.
  19. Consider removing the default WordPress admin account.
  20. Consider concealing your WordPress version.