Privilege Escalation vulnerability in WordPress [CVE-2023-32243]
A security flaw was identified in Essential Addons for Elementor, a widely used WordPress plugin boasting more than one million active installations. This vulnerability, assigned CVE-2023-32243, permits an unauthorized attacker to reset the password of any user on the affected website, thereby granting them administrator privileges.
In-depth analysis of CVE-2023-32243 reveals that it impacts the password reset feature of the Essential Addons plugin integrated with Elementor. The weakness stems from the absence of validation for password reset keys, enabling direct modification of a user’s password without proper verification. Consequently, even without knowledge of a user’s current password, an attacker can exploit this flaw to reset the password of any user on the compromised website.
Essential Addons for Elementor is an addon/plugin for WordPress that extends its functionality. Unfortunately, it contains a security vulnerability that allows unauthorized individuals to elevate their privileges to match those of any user on the WordPress site, without requiring authentication.
By possessing knowledge of a user’s username, an attacker can reset their password and gain illicit access to their account. This vulnerability arises due to the lack of password reset key validation in the password reset function, which directly alters the password for the specified user.
To rectify this issue, the vulnerability was addressed in version 5.7.2 of the plugin. The fix implements proper validation of the reset key within the password reset function, effectively mitigating the risk of privilege escalation. The CVE-2023-32243 identifier has been assigned to this vulnerability.
How to exploit this vulnerability?
In order to take advantage of this vulnerability, a preconfigured environment with the specific version of the vulnerable component is necessary. To assess the vulnerability, it is essential to set up a local WordPress installation and install the susceptible Elementor addon. Additionally, a Python script, available for cloning from GitHub, is required to conduct the testing process.
Step 1: Download the wordpress and host on XAMPP Server.
Step 2: After completing the setup of WordPress, our next step is to obtain the necessary компонент. Specifically, we need to acquire ‘Essential Addons for Elementor – version 5.7.1′ from the following website: https://wordpress.org/plugins/essential-addons-for-elementor-lite/advanced/. As seen in the screenshot below, the desired version is not available in the dropdown menu. Therefore, we must download the required version from the archived section by constructing the URL with the desired version. You can simply download it from this link: https://downloads.wordpress.org/plugin/essential-addons-for-elementor-lite.5.7.1.zip.
Step 3: Extract the downloaded file and copy it into the XAMPP Server’s htdocs > wordpress > wp-content > plugins directory.
Step 4: Access the administrative portal for the hosted WordPress website, then navigate to the plugins section. Proceed to enable the plugin labeled with version 5.7.1.
Step 5: Once the WordPress website has been prepared with a plugin that has security vulnerabilities, the next step is to execute our exploit. To accomplish this, we will replicate one of the exploits available on GitHub. The specific exploit we are cloning can be found at the following source: https://github.com/RandomRobbieBF/CVE-2023-32243.
Step 6: After cloning the repository, proceed with the installation of the requirements specified in the requriements.txt досье.
Step 7: In order to get started quickly with our plan, давайте test the password for our admin portal to make sure it works.
Step 8: As we tested the current password for the admin portal is admin/admin. Now let’s run the exploit by entering the command: python3 exploit.py —url http://localhost/wordpress/ –password “Hacked_Pass”. Observe that the password is changed by an adversary to the desired password.
Step 9: Now, давайте test the changed password works or not?
Step 10: Well, it worked, and we successfully exploited CVE-2023-32243
How to mitigate this vulnerability?
The security flaw has been fixed in plugin versions 5.7.2, and the most recent stable version available is 5.8.0. It is highly advised to update all components to the latest stable version in order to eliminate any potential risks of this nature.