Essential Addons for Elementor < 5.8.9 – Authenticated (Contributor+) Privilege Escalation | CVE 2023-41955 | Plugin Vulnerabilities

Description

The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.8.8 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user. Note that this is difficult to exploit without publishing capabilities and appears to be a regression, as an identical issue was patched in version 4.6.5.

Affects Plugins

essential-addons-for-elementor-lite

Fixed in 5.8.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8c13701e-424d-462f-b152-4dc5ad3ef197

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

76800214-71ac-4547-9bce-4726c51f6462

Timeline

Publicly Published

2023-09-14 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-12-13 (about 2 years ago)

Other

Published

Title

Published

2023-11-07

Title

BadgeOS <= 3.7.1.6 - Missing Authorization

Published

2026-01-14

Title

Simple GDPR Cookie Compliance < 2.0.1 - Missing Authorization

Published

2025-04-09

Title

Rich Table of Contents < 1.4.1 - Missing Authorization

Published

2025-04-01

Title

Simple Sticky Add To Cart For WooCommerce <= 1.4.9 - Missing Authorization

Published

2023-11-14

Title

Thrive Theme Builder < 3.24.0 - Missing Authorization