Security News > 2023 > May > Hackers target vulnerable Wordpress Elementor plugin after PoC released
Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month.
The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites.
At the time, a BleepingComputer reader and website owner reported that their site was hit by hackers who reset the admin password by leveraging the flaw.
A Wordfence report published yesterday sheds more light, with the company claiming to observe millions of probing attempts for the presence of the plugin on websites and has blocked at least 6,900 exploitation attempts.
Txt' file, which contains the plugin's version information, and hence determines if a site is vulnerable.
Website owners using the 'Essential Addons for Elementor' plugin are advised to apply the available security update by installing version 5.7.2 or later immediately.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-12 | CVE-2023-32243 | Improper Authentication vulnerability in Wpdeveloper Essential Addons for Elementor Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. | 9.8 |