WordPress Elementor Plugin Bug Lets Attackers Hijack Accounts on 1 million Sites (15th May 2023)

Ref# AL2023_35 | Date: May 15th 2023


One of WordPress” most popular Elementor plugins known as “Essential Addons for Elementor,” was discovered to be vulnerable to an unauthenticated privilege escalation that could allow remote attacks to gain administrator rights on the site. Essential Addons for Elementor is a library of more than 90 extensions for the Elementor page builder, used byover one millionWordPress sites. 


The flaw was found on May 8, 2023, and was tracked as CVE-2023-32243. It is an unauthenticated privilege escalation vulnerability on the plugin”s password reset functionality, impacting versions 5.4.0 to 5.7.1. By exploiting the flaw, it is possible to reset the password of any user just by knowing their username, thus being able to reset the password of the administrator and login on their account. 

This vulnerability occurs because the password reset function does not validate a password reset key and instead directly changes the password of the given user. The negative impacts of this flaw are significant and include unauthorized access to private information, website defacement or deletion, malware distribution to visitors, and brand repercussions such as loss of trust and legal compliance problems. While remote attackers do not need to authenticate to exploit the CVE-2023-32243 flaw, they need to know a username on the system they are targeting for the malicious password reset. 

The attacker needs to set a random value in the POST “page_id” and “widget_id” inputs so that the plugin does not produce an error message that could raise suspicion on the website s administrator. The attacker must also provide the correct nonce value on the “eael-resetpassword-nonce” to validate the password reset request and set a new password on the “eael-pass1” and “eael-pass2” parameters. 

Sadly, the nonce value is present in the main front-end page of the WordPress site since it will be set in the $this->localize_objects variable by the load_commnon_asset function. Assuming that a valid username has been set on the “rp_login” parameter, the code will change the password for the targeted user to the new one provided by the attacker, essentially giving them control of the account. 


  1. A patch was released with Essential Addons for Elementor version 5.7.2, which was made available from the 11th of May 2023. All plugin users are recommended to upgrade to the latest version as soon as possible. 

  1. It is also recommended to check for updates concerning WordPress itself on a regular basis that will fix critical security issues and update features.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: WordPress Elementor Plugin Bug.pdf