CVE-2023-32243 WordPress Essential Addons for Elementor Plugin 5.4.0-5.7.1 is vulnerable to Privilege Escalation

2023-05-1207:23:22

CWE-287

Patchstack

www.cve.org

wordpress

elementor

vulnerability

privilege escalation

authentication

wpdeveloper

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.097 Low

EPSS

Percentile

94.8%

JSON

Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.

CNA Affected

[
  {
    "collectionURL": "https://wordpress.org/plugins",
    "defaultStatus": "unaffected",
    "packageName": "essential-addons-for-elementor-lite",
    "product": "Essential Addons for Elementor",
    "vendor": "WPDeveloper",
    "versions": [
      {
        "changes": [
          {
            "at": "5.7.2",
            "status": "unaffected"
          }
        ],
        "lessThanOrEqual": "5.7.1",
        "status": "affected",
        "version": "5.4.0",
        "versionType": "custom"
      }
    ]
  }
]

References

packetstormsecurity.com/files/172457/WordPress-Elementor-Lite-5.7.1-Arbitrary-Password-Reset.html

patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites?_s_id=cve

patchstack.com/database/vulnerability/essential-addons-for-elementor-lite/wordpress-essential-addons-for-elementor-plugin-5-4-0-5-7-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve