June 6, 2023

Researchers have discovered a security flaw, tracked as CVE-2023-32243, with a CVSS score of 9.8, is an unauthenticated privilege escalation vulnerability in Elementor WordPress plugin that has an installation over 1 million

Any unauthenticated user can elevate their privilege to mirror that of any user on the WordPress site. The implications are serious: malicious actors can reset the password of any user, including administrators, if they know the username or email.


This vulnerability pops out from a lack of password reset key validation. The flawed function directly alters the password of the specified user, bypassing any need for verification. This loophole was sealed in version 5.7.2, but the damage was done.

The discovery of the CVE-2023-32243 vulnerability started with the inspection of the `init` hook located in the `register_hooks` function. When this function triggers the `login_or_register_user` function, it performs several checks and calls the corresponding function. The vulnerability is rooted in the `reset_password` function.

To exploit the vulnerability, an attacker first needs to set random values in `$_POST[‘page_id’]` and `$_POST[‘widget_id’]` to avoid triggering an error message. The attacker also needs to set `$_POST[‘eael-resetpassword-nonce’]` as the nonce value will be verified in the code. To reset the password, the attacker needs to supply the same password string to `$_POST[‘eael-pass1’]` and `$_POST[‘eael-pass2’]`.

With these conditions met, the attacker can construct a `$rp_login` variable from `$_POST[‘rp_login’]` and use the `get_user_by` function to construct a `$user` object by searching for a username that matches the `$rp_login` variable. If the `$user` object exists and there are no errors, the code will directly reset the user’s password using the `reset_password` function.


The final piece of the puzzle involves the `essential-addons-elementor` nonce value. This value is present in the main front-end page of the WordPress site, set in the `$this->localize_objects` variable by the `load_commnon_asset` function. The function is then called from `init_hook` and set as a function handler of the `wp_enqueue_scripts` hook, which displays all the enqueued scripts and styles.


public function login_or_register_user() {

    do_action( 'eael/login-register/before-processing-login-register', $_POST );

    // login or register form?

    if ( isset( $_POST['eael-login-submit'] ) ) {


    } else if ( isset( $_POST['eael-register-submit'] ) ) {


    } else if ( isset( $_POST['eael-lostpassword-submit'] ) ) {


    } else if ( isset( $_POST['eael-resetpassword-submit'] ) ) {



    do_action( 'eael/login-register/after-processing-login-register', $_POST );


This vulnerability could be triggered on a default installation or configuration of the Essential Addons for Elementor plugin. Users of the Essential Addons for Elementor plugins (versions 5.7.1 and below) are strongly encouraged to update to version 5.7.2 to safeguard their websites from this vulnerability.

Leave a Reply

%d bloggers like this: