WordPress Plugin Vulnerabilities

Essential Addons for Elementor 5.4.0-5.7.1 - Unauthenticated Privilege Escalation

Description

The plugin does not validate the password reset key, which could allow unauthenticated attackers to reset arbitrary account's password to anything they want, by knowing the related email or username, gaining access to them

Affects Plugins

Plugin icon
essential-addons-for-elementor-lite
Fixed in 5.7.2

References

CVE
CVE-2023-32243

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
4855dbf0-d40c-46be-840b-aed1168e2191

Timeline

Publicly Published
2023-05-11 (about 2 years ago)
Added
2023-05-12 (about 2 years ago)
Last Updated
2023-05-12 (about 2 years ago)

Other

Published
Title
Published
2025-08-05
Title
Reveal Listing < 3.4 - Unauthenticated Privilege Escalation
Published
2023-11-09
Title
WP User Frontend < 3.6.6 - Authenticated (Author+) Privilege Escalation
Published
2023-03-06
Title
Multiple e-plugins - Subscriber+ Privilege Escalation
Published
2024-10-09
Title
UserPlus <= 2.0 - Editor+ Registration Form Update to Privilege Escalation
Published
2025-01-17
Title
Adifier System < 3.1.8 - Unauthenticated Arbitrary Password Reset