cbcvebase.
CVE-2023-32243
published 2023-05-12

CVE-2023-32243: Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.95%
99.5th percentile
Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
wpdeveloperessential_addons_for_elementor>= 5.4.0 < 5.7.15.7.1
wpdeveloperessential_addons_for_elementor5.4.0 – 5.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/essential-addons-for-elementor-lite
commandaction=login_or_register_user&eael-resetpassword-submit=true&page_id=124&widget_id=224&eael-resetpassword-nonce={{nonce}}&eael-pass1={{password}}&eael-pass2={{password}}&rp_login={{wordpress_username}}
snort
alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin - Essential Addons for Elementor - Password Reset Attempt (CVE-2023-32243)"; flow:established,to_server; flowbits:set,ET.CVE-2023-32243; http.method; content:"POST"; http.uri; content:"admin-ajax.php"; endswith; http.request_body; content:"action"; content:"login_or_register_user"; within:28; content:"eael-resetpassword-submit"; fast_pattern; content:"true"; nocase; within:10; content:"page_id"; content:"widget_id"; content:"eael-resetpassword-nonce"; content:"eael-pass1"; content:"eael-pass2"; content:"rp_login"; reference:url,patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites/; reference:cve,2023-32243; classtype:attempted-admin; sid:2045879; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2023_05_30, cve CVE_2023_32243, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_30; target:dest_ip;)
snort
alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin - Essential Addons for Elementor - Successful Password Reset (CVE-2023-32243)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-32243; http.response_body; content:"success|22 3a|true"; fast_pattern; reference:url,patchstack.com/articles/critical-privilege-escalation-in-essential-addons-for-elementor-plugin-affecting-1-million-sites/; reference:cve,2023-32243; classtype:successful-admin; sid:2045880; rev:1; metadata:attack_target Web_Server, created_at 2023_05_30, cve CVE_2023_32243, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Critical, updated_at 2023_05_30; target:src_ip;)
  • Exploit POST body targets admin-ajax.php with the WordPress AJAX action 'login_or_register_user' combined with 'eael-resetpassword-submit=true' — monitor HTTP POST requests to this endpoint for these parameters.
  • A successful exploitation response contains the JSON string '"success":true' and '"data":' in the HTTP response body — use the Snort flowbit ET.CVE-2023-32243 to correlate request and response.
  • The nonce required for the exploit is extracted from the wp-login.php page response — a GET to /wp-login.php immediately before the malicious POST to admin-ajax.php is a strong behavioral indicator.
  • Presence of the plugin directory path in web server logs can confirm a vulnerable installation is present.
  • ·The Snort rules (sid:2045879 and sid:2045880) require SSL/TLS decryption to be effective against HTTPS traffic, as indicated by the 'deployment SSLDecrypt' metadata tag.
  • ·The vulnerability affects Essential Addons for Elementor versions 5.4.0 through 5.7.1 only; version 5.7.2 is patched and should not be flagged.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.